HTTP Cookies Cheat Sheet

HTTP cookies are small pieces of data stored on the client by the browser and sent to the server with subsequent requests. They are commonly used for session management, authentication, personalization, and tracking.

What Is a Cookie

A cookie is a name–value pair sent by the server using the Set-Cookie header and stored by the client.

Set-Cookie: session_id=abc123

GET /dashboard HTTP/1.1
Cookie: session_id=abc123

Cookie Lifecycle

Cookies can be session-based or persistent depending on their attributes.

Set-Cookie: theme=dark

Set-Cookie: theme=dark; Expires=Wed, 21 Oct 2025 07:28:00 GMT

Session Cookies

Session cookies are deleted when the browser session ends.

Set-Cookie: session_id=xyz789

GET /profile HTTP/1.1
Cookie: session_id=xyz789

Persistent Cookies

Persistent cookies remain stored until their expiration date.

Set-Cookie: remember_me=true; Expires=Wed, 21 Oct 2026 07:28:00 GMT

GET / HTTP/1.1
Cookie: remember_me=true

Cookie Attributes

Cookie attributes control scope, lifetime, and security behavior.

Set-Cookie: id=123; Path=/; Domain=example.com

Set-Cookie: lang=en; Path=/docs

Expires

Specifies an absolute expiration date for the cookie.

Expires=Wed, 21 Oct 2025 07:28:00 GMT

Set-Cookie: token=abc; Expires=Wed, 21 Oct 2025 07:28:00 GMT

Max-Age

Defines cookie lifetime in seconds.

Max-Age=3600

Set-Cookie: token=abc; Max-Age=3600

Domain

Controls which domains can receive the cookie.

Domain=example.com

Set-Cookie: id=1; Domain=example.com

Path

Restricts the cookie to a specific path.

Path=/account

Set-Cookie: session_id=abc; Path=/account

Secure

Ensures the cookie is only sent over HTTPS.

Secure

Set-Cookie: session_id=abc; Secure

HttpOnly

Prevents client-side scripts from accessing the cookie.

HttpOnly

Set-Cookie: session_id=abc; HttpOnly

SameSite

Controls cross-site cookie behavior.

SameSite=Strict
SameSite=Lax
SameSite=None

Set-Cookie: session_id=abc; SameSite=Strict

Deleting Cookies

Cookies can be deleted by setting an expired date.

Set-Cookie: session_id=abc; Expires=Thu, 01 Jan 1970 00:00:00 GMT

Set-Cookie: session_id=abc; Max-Age=0

Multiple Cookies

Servers can set multiple cookies in a single response.

Set-Cookie: id=1
Set-Cookie: theme=dark

GET / HTTP/1.1
Cookie: id=1; theme=dark

Cookie Size Limits

Browsers impose limits on cookie size and count.

Max size per cookie: ~4 KB
Cookies per domain: ~20–50 (browser-dependent)