name | description | type |
---|---|---|
secure | Only send over https | bool/flag |
httpOnly | Only allow access via HTTP(S), not JavaScript | bool/flag |
expires | Destroy on this date | date |
max-age | Number of seconds until expires | int |
samesite | - strict: Never submit cookies from other;lax: only send cookies with initial GET request | strict/lax |
When the secure
and httponly
attributes are not set in cookies, those cookies could be sent legitimately but read maliciously.
A cookie without the secure
attribute can be sent to a non-HTTPS site; likewise, a cookie without httponly
set can be read by JavaScript.
The expires
attribute simply tells the browser to destroy a cookie on a specific date. In contrast, the max-age
is the number of seconds until the cookie expires.