Cookie Attributes

Attributes

name description type
secure Only send over https bool/flag
httpOnly Only allow access via HTTP(S), not JavaScript bool/flag
expires Destroy on this date date
max-age Number of seconds until expires int
samesite - strict: Never submit cookies from other;lax: only send cookies with initial GET request strict/lax

When the secure and httponly attributes are not set in cookies, those cookies could be sent legitimately but read maliciously.

A cookie without the secure attribute can be sent to a non-HTTPS site; likewise, a cookie without httponly set can be read by JavaScript.

The expires attribute simply tells the browser to destroy a cookie on a specific date. In contrast, the max-age is the number of seconds until the cookie expires.