Secureattribute are only sent over encrypted HTTPS connections. The
Secureattribute only protects the confidentiality of a cookie against MiTM attackers - there is no integrity protection.
HttpOnlyattribute only protects the confidentiality of a cookie, but
Pathattribute limits the scope of a cookie to a specific path on the server and can therefore be used to prevent unauthorized access to it from other applications on the same host.
Domainspecifies allowed hosts to receive the cookie.
Domainattribute unspecified, it defaults to the host of the current document location, excluding subdomains
Domainattribute is specified, cookies will be sent to that domain and all its subdomains
Expiresattribute allows you to set the maximum cookie lifetime.
Expiresattribute unspecified, cookie lifetime is equal to session lifetime
Non-persistentsession cookies may actually be persisted to survive browser restart
SameSiteattribute prevents the browser from sending cookies along with cross-site requests. The
SameSiteattribute can have one of two values (case-insensitive):
Strict, if the URL of the constructed request is different from the URL of the current page,
Strictcookies will not be included in the request
Strictcookies will not be sent when clicking on a link from another site
SameSite, as a uniq user id, allows you to show username e.g. Second cookie, with
SameSite, to make purchases, profile changes, and more
Lax, adds an exception allowing the send a cookies when navigating from an external URL, which uses
secureHTTP methods, for example, when clicking on the link. The
GET, HEAD, OPTIONS и TRACE.
Cookie Prefixallows the send of cookie prefix information to ensure that certain attributes are present in a cookie request. Supported prefixes:
__Secure-, tells the browser that the
Secureattribute is required,
__Host-, tells the browser that the
Path = /and
Secureattributes are required, and at the same time that the
Domainattribute should not be present.
Pathattribute with longer path.