HTTP headers | Set-Cookie

The HTTP header Set-Cookie is a response header and used to send cookies from the server to the user agent. So the user agent can send them back to the server later so the server can detect the user.

Syntax:

Set-Cookie: <cookie-name>=<cookie-value> | Expires=<date> 
               | Max-Age=<non-zero-digit> | Domain=<domain-value>
               | Path=<path-value> | SameSite=Strict|Lax|none

Note: Using multiple directives are also possible.

Directives:

• <cookie-name>=<cookie-value>: The cookie name have to avoid this character ( ) @, ; : \ ” / [ ] ? = { } plus control characters, spaces, and tabs. It can be any US-ASCII characters.
• Expires=<date>: It is an optional directive that contains the expiry date of the cookie.
• Max-Age=<non-zero-digit>: It contains the life span in a digit of seconds format, zero or negative value will make the cookie expired immediately.
• Domain=<domain-value>: This directive defines the host where the cookie will be sent. It is an optional directive.
• Path=<path-value>: This directive define a path that must exist in the requested URL, else the browser can’t send the cookie header.
• SameSite=Strict|Lax|none: This directives providing some protection against cross-site request forgery attacks.

Example:

• This types cookies were removed when the user shut down the system this types of cookies known as a session cookie.

  Set-Cookie: sessionId=38afes7a8

• Permanent cookies expire on some specific date

  set-cookie: 1P_JAR=2019-10-24-18; expires=…in=.google.com; SameSite=none

To check this Set-Cookie in action go to Inspect Element -> Network check the response header for Set-Cookie.

Supported Browsers: The browsers compatible with HTTP header Set-Cookie are listed below:

• Google Chrome
• Internet Explorer
• Firefox
• Safari
• Opera