HTTP Cookies
HTTP cookies are small pieces of data that are sent to a browser from a server. They are generally used for a few different reasons. First, for session management such as making sure a shopping carts remains the same even if the user leaves the page momentarily. Second, personalization — keeping track of themes or other preferences. Finally, for tracking and recording user behavior for analyzation. Generally companies will use this information to follow a user or consumer along their journey within the site. This can be used to see what does or doesn’t cause consumers to purchase products.
Cookies allow for stateful information to be passed within multiple requests on the same HTTP connection. Using header flexibility, session cookies with each request can share the same stateful information.
At one point, cookies were the only way to store information client side. Since they are sent with every request, they hindered performance. It is now recommended to use modern web API’s such as the Web Storage API or IndexedDB.
Creating Cookies
Starting on the server side, cookies are specified using the Set-Cookie HTTP response header. You can do so with the following syntax.
Set-Cookie: <cookie-name>=<cookie-value>
This will tell the client to store cookies from the server sending headers. With every request sent back to that server, the client will send all stored cookies back within the request headers. MDN documentation here, provides links for several language documents about how to set cookies for each.
Cookie Lifetime
Session cookies are deleted when the session is ended. The browser will define when the current session ends. However, permanent cookies are deleted at a specific date.
This expiration is defined by using the Expires attribute, or after a period of time specified by the Max-Age attribute. When the Expires attribute is set, the date and time is relative to the client the cookie is being set on and not the server.
If your site authenticates users, a new session cookie should be regenerated and sent to the user. This helps protect from 3rd party usage of a users session.
Define When Cookies Are Sent
The Domain and Pathattributes specify which hosts are allowed to receive cookies. This is called the scope of the cookie. If Domain is not specified, it defaults to the same domain that the cookie was sent from, this also excludes all subdomains. If domain is included, then all subdomains are always included. This means that not specifying Domain will be more restrictive than specifying.
The Path attribute is an indicator for a URL path that must exist in the requested URL in order to send the Cookie header. The ‘/’ character is used to separate directories. All subdirectories are included as well. For example, if Path=/docs is set, the following paths will match as well.
Conclusion
Cookies are used to send data from the server to the user client. This information is used to store session data, personalize the user experience and track user behavior. There are several more attributes that can be included with Cookie headers, you can find further information at the MDN documentation here.
It’s important to be weary of security vulnerability and to follow along with Cookie regulations. You must inform users of your site that cookies are being used, give them the ability to use the site without cookies and make sure that they can opt out of receiving some or all cookies.
Cookies have sparked a debate into the invasion of privacy for users as it has been used to track users across the internet in order to serve relevant web ads. While this is changing over time, you want to make sure that your users are secure and that their privacy is considered at all times.
