-
Notifications
You must be signed in to change notification settings - Fork 86
What is a cookie?
tim-hr edited this page Oct 19, 2016
·
1 revision
- defined in an RFC(todo) in 1997, as an extension of the HTTP protocol(todo)
- "Cookie" HTTP header
- key-value pairs
- sent with every HTTP request
- the primary way to get around HTTP's stateless nature
- scoped by subdomain
- can be set to expire
- remembering stateful information, e.g. items in a shopping cart or previously entered items in a form field
- implementing sessions. For example, an encrypted session id can be stored in the cookie.
- generally, storing any client-specific data
- user tracking across sites
- They only store up to around 4KB
- you can encrypt them but it's safer to just use them to store an id, keyed to fetch the full user info, server-side
- you can relax the scoping to just the domain to share cookies between subdomains, this is one way to get a poor man's SSO(todo)
- setting them to never expire is often a security risk
- since they're sent with every request, they can waste bandwidth
- can fix this by putting static assets on a separate subdomain or domain
- HTTP protocol
- stateless design
- same-origin policy
- sessions
- single-sign-on