⌘K
We use cookies to improve your experience
We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience.
Definition
An HTTP cookie is a small piece of data that a web server sends to a user's browser, which stores it and sends it back with subsequent requests to the same server. Cookies enable stateful sessions, user preferences, and tracking on the otherwise stateless HTTP protocol.
When a server responds to an HTTP request, it can include a Set-Cookie header containing a name-value pair and optional attributes. The browser stores this cookie and automatically attaches it to every subsequent request to the same domain via the Cookie header. This is how websites "remember" that you are logged in, what is in your shopping cart, or which language you prefer — even though HTTP itself has no memory between requests.
Several attributes control cookie behavior. Expires/Max-Age determines when the cookie is deleted (session cookies disappear when the browser closes). Domain and Path restrict which URLs receive the cookie. Secure ensures the cookie is only sent over HTTPS. HttpOnly prevents JavaScript from reading the cookie (mitigating XSS attacks). SameSite controls whether the cookie is sent with cross-site requests (mitigating CSRF attacks). Modern best practices require Secure, HttpOnly, and SameSite=Strict or Lax for sensitive cookies.
Third-party cookies (set by domains other than the one you are visiting) have been used for cross-site tracking and advertising. Privacy regulations like GDPR and CCPA require explicit consent before setting non-essential cookies, which led to the cookie consent banners seen across the web. Browsers are increasingly restricting or blocking third-party cookies entirely — Chrome plans to phase them out, and Safari and Firefox already block them by default.