background

The back end needs to pass cookies in the input parameter during the front and back end tuning. I tried to retrieve it through document.cookie, but found that the browser had a cookie but could not retrieve it.

Scene: the repetition

  1. Open Google debug tool, you can see that there is a record of cookies in the browser;
  2. Execute Documen. cookie on the console and find that it cannot be retrieved

Cookies to understand

A cookie is a small piece of data sent by the server but saved locally by the user’s browser. It is carried and sent to the server the next time the browser makes a request to the same server. The cookie expiration time, domain, path, expiration date, and applicable site can be specified as required.

Restricting access to cookies

  • Secure Cookies that are set to Secure can be sent to the server only through requests encrypted by HTTPS. Prevents man-in-the-middle attacks.

  • Cookie API cannot access cookies with HttpOnly attribute; This type of Cookie applies only to the server. Mitigate XSS(cross-site scripting) attacks.

Cookie scope

  • Domain specifies which hosts can accept cookies. If this parameter is not specified, origin is used by default and does not contain subdomain names. If Domain is specified, subdomain is included.
  • Path specifies which paths under the host can accept cookies. (The URL path must exist in the request URL.)

SameSite

Allows the server to require that a cookie not be sent during a cross-site request. Cross-site request forgery can also be prevented. Optional values:

  • None, no default is None. Browsers continue to send cookies on same-site and cross-site requests, case insensitive.
  • Strict browser sends cookies only when visiting the same site
  • Lax and Strict, except when the user navigates to a URL from an external site.

Cookie Priority attribute

Optional value:

  • Low
  • Medium(default value)
  • High Indicates the order in which a domain name is deleted when the number of cookies exceeds the threshold
  1. Non-secure Cookie whose priority is Low
  2. Secure Cookie whose priority is Low
  3. Non-secure Cookie whose priority is Medium
  4. Secure Cookie whose priority is Medium
  5. Non-secure Cookie whose priority is High
  6. Secure Cookie whose priority is High

SameParty

The SameParty property is a new Boolean property that indicates whether a cookie is included in a request for the origin of the same set of first parties.

Refer to the article

  • Interpretation of cookies on MDN
  • Cookie priority
  • Added SameParty attributes