Understanding How HTTP Cookies Work: Types, Mechanism, and Security

Cookies are the primary way browsers maintain persistent sessions and identify users across HTTP requests. Originally created by Netscape, they are now supported by all major browsers and introduce new HTTP headers that affect caching and privacy.

1. What Is a Cookie

A cookie is a small piece of data stored on the client side that allows a server to recognize returning users and maintain stateful interactions.

2. Types of Cookies

Session Cookie – temporary, deleted when the browser is closed.

Persistent Cookie – stored on disk with a longer lifespan, often used for login information or site preferences.

The only difference between them is the expiration time; a cookie without Expires or Max-Age is a session cookie.

3. How Cookies Work

When a user first visits a website, the server sends a Set-Cookie header containing name‑value pairs, e.g.: Cookie: name="Brian Totty"; phone="555-1212" The browser stores these values in its cookie database. On subsequent requests to the same site, the browser includes a Cookie header with the stored values, allowing the server to identify the user.

4. The Cookie Jar

Browsers keep a “cookie jar” that can hold hundreds of cookies. Each cookie is associated with a specific domain, and browsers only send the cookies that match the request’s domain, reducing bandwidth usage and protecting privacy.

5. Cookie Security

Cookies are sent with every request to the originating domain, and can be created, modified, or deleted via JavaScript using the document.cookie API. Example: document.cookie="test=1"; By default the cookie’s domain attribute is the current host, but it can be set to a parent domain to share cookies across sub‑domains: document.cookie="test=1;domain=test.com"; Sharing cookies across sub‑domains improves convenience but also introduces security risks if a malicious sub‑domain can read the cookie.

6. Cross‑Origin Resource Sharing (CORS)

CORS is a mechanism that uses additional HTTP headers to allow browsers to make cross‑origin requests safely. For simple GET requests the browser sends the request directly; for non‑simple requests it performs a pre‑flight OPTIONS request to verify permissions.

The server must respond with Access-Control-Allow-Origin and related headers for the browser to allow the response.

Conclusion

Cookies are a fundamental part of the HTTP state‑management mechanism, enabling persistent sessions, but they must be used carefully to avoid performance degradation, privacy leaks, and security vulnerabilities.