Every knob on a Set-Cookie
The Set-Cookie response header carries a name/value pair plus attributes that
control the cookie’s scope, lifetime and security posture. Getting these right
is the difference between a hardened session token and a hijackable one. This
reference lists every standard attribute with its behaviour and security
implications, searchable by name.
How it works
A cookie is set with Set-Cookie and returned by the browser in the Cookie
request header for matching requests. Attributes after the first ; shape
where and when it is sent:
Set-Cookie: __Host-session=abc123; Path=/; Secure; HttpOnly; SameSite=Lax; Max-Age=3600
Domain and Path set the scope; Expires/Max-Age set lifetime; Secure
and HttpOnly restrict transport and script access; SameSite governs
cross-site sending; Partitioned opts into CHIPS partitioned storage. Name
prefixes __Secure- and __Host- add browser-enforced requirements.
Attribute quick-reference
| Attribute | What it controls | Security implication |
|---|---|---|
Domain | Which hosts receive the cookie | Omitting it scopes to the exact origin — safer; adding it widens scope to all subdomains |
Path | URL path prefix that must match | Narrower paths limit exposure but are not a security boundary between same-origin pages |
Expires | Absolute expiry timestamp | Persistent after browser close; expires at the given date |
Max-Age | Lifetime in seconds from receipt | Wins over Expires when both are present; 0 or negative deletes the cookie immediately |
Secure | HTTPS-only transport | Prevents cookie from travelling over plaintext; mandatory for auth tokens |
HttpOnly | Hides cookie from JavaScript | Stops XSS payloads reading the value; should always be set on session identifiers |
SameSite=Strict | Only sent on same-site requests | Maximum CSRF protection; breaks login redirect flows |
SameSite=Lax | Sent on same-site + top-level GET navigations | Browser default since Chrome 80; good balance for session cookies |
SameSite=None | Sent on all cross-site requests | Requires Secure; needed for embedded content and third-party auth |
Partitioned | Separate jar per top-level site | CHIPS spec; allows cross-site cookies to survive third-party cookie removal |
Building a hardened session cookie
A production session token should combine all protective attributes:
Set-Cookie: __Host-session=TOKEN; Path=/; Secure; HttpOnly; SameSite=Lax; Max-Age=7200
__Host-prefix forcesSecure,Path=/and noDomain— the browser rejects any cookie that does not meet all three.HttpOnlyblocks script access, so XSS cannot steal the token.Secureensures it only travels over HTTPS.SameSite=Laxprovides default CSRF protection without breaking navigation.Max-Age=7200gives a two-hour session; longer lifetimes increase exposure if a token is leaked.
Tips and notes
- Session cookies (no Expires/Max-Age) are cleared when the browser session ends.
- Always combine
HttpOnly+Secure+SameSiteon auth cookies. - Use the
__Host-prefix to pin a cookie to one exact host and path/. - Omitting
Domainscopes the cookie to the exact host — usually what you want. Partitioned(CHIPS) keeps a cross-site cookie in a per-top-site jar, surviving third-party cookie phase-out.- Prefer
Max-AgeoverExpires— it is a relative duration and avoids clock-skew bugs between client and server.