Understanding HTTP Cookies: Principles, Formats, and Cross‑Domain Usage

What is a cookie? HTTP is a stateless protocol, so servers issue a small token called a cookie to identify clients across requests. The server sends a Set‑Cookie header in the response, the browser stores it, and includes it in subsequent requests via the Cookie header.

Basic working principle Cookies are transmitted through HTTP headers: Set-Cookie in server responses and Cookie in client requests.

Typical flow:

Client requests a URL.

Server responds with a Set-Cookie header, establishing a session.

Browser saves the cookie (e.g., as a Cookie.txt file).

On subsequent requests, the browser adds a Cookie header containing the stored values.

Server reads the cookie to retrieve user‑specific information and generates the appropriate response.

Cookie format

A cookie consists of a name‑value pair and optional attributes. Example:

Set-Cookie: "name=value;domain=domain.com;path=/;expires=Sat, 11 Jun 2016 11:29:42 GMT;secure"

name : unique identifier for the cookie (case‑insensitive).

value : the stored data, usually URL‑encoded.

domain : the domain for which the cookie is valid; can include subdomains.

path : URL path scope; the cookie is sent for requests matching this path.

expires : expiration date; if omitted, the cookie is deleted when the browser closes.

secure : flag indicating the cookie is sent only over HTTPS.

Viewing cookies Users can inspect cookies via browser settings (Privacy → Cookies) or using developer tools (F12 → Network → Cookies).

Redirect cookies Cookies also enable seamless cross‑domain redirects without re‑authentication. For example, after logging into admin.test.123.cn , a cookie set for test.123.cn allows direct access to the advertising platform. In PHP, a redirect can be performed as follows:

header('location:http://b.com/test.php');

On the target site, a cookie can be created:

setcookie('name','qqq',time()+3600);

The browser follows the 302 redirect, receives the Set-Cookie header from b.com , stores the cookie, and includes it in subsequent requests, enabling automatic login on the new domain.

In practice, secure token exchange (e.g., OAuth) may be used to encrypt user credentials, allowing the receiving platform to decrypt the token and set appropriate cookies for authenticated access.