Cookies

Table of Contents Introduction What Is the Set-Cookie Header? Syntax and Core Attributes 3.1 Name‑Value Pair 3.2 Expiration Controls 3.3 Scope Controls 3.4 Security Flags SameSite and Modern Browser Policies Real‑World Use Cases 5.1 Session Management 5.2 Persistent Preferences 5.3 A/B Testing & Feature Flags Implementing Set-Cookie in Popular Back‑Ends 6.1 Node.js / Express 6.2 Python / Flask 6.3 Java / Spring Boot 6.4 Go / net/http Debugging and Testing Cookies Best Practices Checklist Future Directions: Cookie Partitioning & Storage Access API Conclusion Resources Introduction HTTP is a stateless protocol. Each request that reaches a server is, by design, independent of any previous request. Yet modern web applications need to remember who a user is, what items they have in a shopping cart, or which language they prefer. Cookies—small pieces of data stored on the client—fill that gap. ...

Introduction Web applications have come a long way from the static pages of the late 1990s, but the fundamental challenge of identifying a user across multiple HTTP requests remains unchanged. Cookies have been the de‑facto mechanism for persisting state, while modern JavaScript‑heavy front‑ends demand more flexible, API‑centric authentication strategies. Enter the cookie‑swap pattern—a design that blends the simplicity of cookies with the robustness of token‑based authentication. At its core, the pattern exchanges a short‑lived, temporary cookie for a secure authentication token (often a JWT or opaque session identifier) after the user’s credentials have been validated. By doing so, it thwarts classic attacks such as session fixation, cross‑site request forgery (CSRF), and even some cross‑site scripting (XSS) scenarios. ...