Response Header: Set-Cookie

The Set-Cookie HTTP response header sends cookies from the server to the user agent. Cookies are mainly used for session management such as Logins, game scores, or anything else the server should remember; personalization settings like user preferences and themes and tracking user behavior, meaning recording and analyzing it.

How it works

A server sends a Set-Cookie header with the response when it receives an HTTP request. An HTTP cookie represents a small piece of data that a server sends to the user's web browser. The browser may store it, and then the cookie can be sent with requests that the browser makes to the same server inside a Cookie HTTP header. Restrictions can be set to the duration and the path of the cookie.

Session cookies

The session cookie is deleted when the client shuts down because it didn't specify an Expires or Max-Age directive. To make session cookies permanent web browsers may use session restoring.

Permanent cookies

A specific date (Expires) or a specific length of time (Max-Age) is defined for Permanent cookies. Their expiration does not depend on the client's closure.

Secure and HttpOnly cookies

Secure cookies are those sent to the server with an encrypted request over the HTTPS protocol. Yet they are inherently insecure and sensitive information should never be stored in cookies. The secure flag doesn't offer real protection. The HttpOnly flag should be set to help mitigate cross-site scripting attacks. Cookies available to JavaScript can be stolen through XSS.

Scope of Cookies

The scope of cookies is defined by Domain and Path directives. These directives specify the URL the cookie should be sent to. If for example, is sent, the cookies are included in subdomains like And if Path=/docs is set, these paths will match: /docs;/docs/Web/;/docs/Web/HTTP.

SameSite cookies

With the SameSite cookies, a server can request not to send the cookie with a cross-site.
For example Set-Cookie: key=value; SameSite=Strict

With the Strict attribute, the browser will send cookies for same-site requests originating from the site that set the cookie.

With the attribute None the browser will send cookies with both cross-site requests and same-site requests.

The SameSite cookie has also an attribute Lax. These cookies are used when the user navigates to the URL from an external site. Before then they are withheld on cross-site subrequests.

Each cookie is separated by a comma (,) and each cookie attributes are separated by semicolons (;). The two values required are the first name=value pair. These are string values. Other attributes set other parameters of a cookie and are optional.