Abstract
Review cookies again. It seems that I already understand it, but in fact it is very profound and there are many things I don’t understand.
Cookies basics
- Each cookie is a key-value pair along with a number of attributes that control when and where that cookie is used.
- You can set a cookie in an HTTP header or through JavaScript interface.
- Each cookie is a key-value pair along with a number of attributes that control when and where that cookie is used.
First-party and third-party cookies
- Cookies that match the domain of the current site, that is, what’s displayed in the browser’s address bar, are referred to as first-party cookies.
- Cookies from domains other than the current site are referred to as third-party cookies.
A number of security and privacy concerns
- Cross-site request forgery (CSRF) attacks rely on the fact that cookies are attached to any request to a given origin, no matter who initiates the request.
- You can explicitly state your intent with a cookie by setting the appropriate SameSite attribute.
- By default,
- cookies can be shared across sites
- accessed by JavaScript
- sent over HTTP connections, which comes with some privacy and security risks.