HTTP Cookies Crash Course

HTTP Cookies are small pieces of data that are used as storage medium in the browser and are also sent to the server with each request. Cookies are mainly used for session management, user personalization, and tracking. In this video we will try to demystify cookies and learn everything there is to them by example and with demos as well! 0:00 Intro 4:15 Section 1 - Creating Cookies 14:38 Section 2 - Cookie Properties 44:00 Section 3 - Cookie Types 1:02:00 Section 4 - Cookie Secuirty Creating Cookies 1. Document.cookie (client side) 2. set-cookie header (server side) Cookies Properties Sent with each request Cookies are automatically sent to the server with each request. so becareful not to stuff your app with cookies because it might slow down as network bandwidth become saturated with bloated requests.. Per Domain They are stored per domain think of them as cookie buckets, for instance you visit google.com you will get a specific cookie for google.com, any cookies created while in google.com will go to the google.com bucket and so on. there are exceptions but this the general rule. by default if you create cookie, it will only be accessable within the domain, it will only be sent to the same domain. You can create a cookie with the domain property which will also include subdomains. example, domain=husseinnasser.com , includes blog.husseinnasser.com, about.husseinnasser.com etc.. Example.com www.example.com Path specific cookies cookies for a given path only. /r1 /r2 routes make only cookie for r1 and cookie for r2 client will only send cookies for that path. if you know you are going to use the cookies in certain paths why waste precious bandwidth sending it with every path? Cookies Types 1. Session cookie - no expires or max-age, once browser close they are “deleted” browsers are being smart and keep them though 2. permanent cookie - set max-age 3. httponly cookie cannot be accessed with document.cookie 4. secure cookie only acceptable with https 5. Third party cookie - page references another page, gets its own cookies.. 6. Zombie Cookies - recreted even after users delete them, e-tags from the server Cookie Security 1. Stealing cookies, inject XSS script, 2. cross site request forgery, more dangerous and easier, I don’t want your cookie I just want to make a request on your behave using your cookie and make myself an advtange as a result.. since you are signed in to your bank I will inject a script that makes a request ot YOUR bank to transfer myself money.. samesite Stay Awesome! Hussein