HTTP Cookie

Also called web cookie, browser cookie.

Use Case

Typically, an HTTP cookie is used to tell if two requests come from the same browser. It remembers stateful information for the stateless HTTP protocol.

Cookies are mainly used for three purposes:

• Session management: Logins, shopping carts, game scores, or anything else the server should remember
• Personalization: User preferences, themes, and other settings
• Tracking: Recording and analyzing user behavior
• Client-side storage: Using modern storage APIs instead: Web Storage API (localStorage and sessionStorage) and IndexedDB.

Response

Set-Cookie: id=<uid>; Domain=<domain>
Set-Cookie: id=<uid>; Path=/path/to

Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly; SameSite=Strict
Set-Cookie: id=a3fWa; Max-Age=300; Secure; HttpOnly; SameSite=Strict
Set-Cookie: id=a3fWa; Max-Age=300; Secure; HttpOnly; SameSite=Strict; csrftoken=xxxxxx

• Domain: allow subdomains
• Path: URL path
• Secure: only for https
• HttpOnly: disallow JavaScript Document.cookie API.
• SameSite: Strict for same origin, Lax (default) for link following (See Cross-Site Request Forgery (CSRF) (跨站请求伪造))
• Max-Age / Expires: cache

Request

Cookie: id=<uid>

See RFC 6265 - HTTP State Management Mechanism (2011.4) (Obsolete RFC 2109, RFC 2965).

Python Examples and Recipes

• HTTP Cookie (Server Side) - Python Cookbook

References

• MDN - HTTP
• David Gourley & Brian Totty. HTTP: The Definitive Guide (2002) ISBN: 978-1-56592-509-0 (《HTTP权威指南》)
• RFC 6265 - HTTP State Management Mechanism (2011.4) (Obsolete RFC 2109, RFC 2965)
• RFC 2964 - Use of HTTP State Management (2000.10)
• RFC 9110 - HTTP Semantics (2022.6) (Obsolete RFC 7231)
• RFC 9112 - HTTP/1.1 (2022.6) (Obsolete RFC 2068, RFC 2616)
• W3C - HTTP - Hypertext Transfer Protocol
• Wikipedia - HTTP
• Wikipedia - HTTPS