Skip to content

Set-Cookie

Description

The Set-Cookie response header is used by a server to send cookies to the client. Cookies are small pieces of data stored by the client browser that help maintain stateful information for HTTP, which is otherwise a stateless protocol. These cookies are then sent back to the server in subsequent requests via the Cookie request header.

Cookies serve numerous purposes in web applications, including: - Session management (user logins, shopping carts) - Personalization (user preferences, themes) - Tracking and analytics (user behavior, traffic sources) - Feature functionality (remembering selected options)

The Set-Cookie header includes not only the cookie's name and value but also various attributes that control when, where, and how the cookie should be used, as well as security parameters to protect sensitive cookie data.

Syntax

The syntax of the Set-Cookie header follows this structure:

Set-Cookie: <name>=<value>[; Expires=<date>][; Max-Age=<seconds>][; Domain=<domain>][; Path=<path>][; Secure][; HttpOnly][; SameSite=<samesite>]
  • <name>=<value>: The cookie name and its value.
  • Expires=<date>: Optional date after which the cookie expires.
  • Max-Age=<seconds>: Optional number of seconds until the cookie expires.
  • Domain=<domain>: Optional domain for which the cookie is valid.
  • Path=<path>: Optional path for which the cookie is valid.
  • Secure: Optional flag indicating the cookie should only be sent over HTTPS.
  • HttpOnly: Optional flag indicating the cookie is not accessible via JavaScript.
  • SameSite=<samesite>: Optional directive to control when cookies are sent with cross-site requests (Strict, Lax, or None).

Example Syntax

Set-Cookie: sessionId=abc123; Path=/; HttpOnly; Secure; SameSite=Strict

This example sets a session cookie with several security attributes.

Examples

A response setting a simple session cookie:

HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 19:00:00 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: sessionId=a3fWa; Path=/; HttpOnly
Content-Length: 234

<!DOCTYPE html>
<html>
<head><title>Login Successful</title></head>
<body><p>You have successfully logged in.</p></body>
</html>

A response setting a cookie that expires in 30 days:

HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 19:10:30 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: preferences=theme:dark; Max-Age=2592000; Path=/; SameSite=Lax
Content-Length: 256

<!DOCTYPE html>
<html>
<head><title>Preferences Saved</title></head>
<body><p>Your preferences have been saved.</p></body>
</html>

Multiple Cookies Example

A response setting multiple cookies:

HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 19:20:45 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: sessionId=xyz789; Path=/; HttpOnly; Secure; SameSite=Strict
Set-Cookie: language=en; Max-Age=31536000; Path=/
Set-Cookie: lastVisit=2025-06-02T19:20:45Z; Path=/; Domain=example.com
Content-Length: 278

<!DOCTYPE html>
<html>
<head><title>Welcome Back</title></head>
<body><p>Welcome back to our site. Your preferences have been applied.</p></body>
</html>

A response setting a cookie with all security attributes:

HTTP/1.1 200 OK
Date: Mon, 02 Jun 2025 19:30:15 GMT
Content-Type: application/json
Set-Cookie: authToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...; Path=/api; HttpOnly; Secure; SameSite=Strict; Max-Age=3600
Content-Length: 42

{"status": "success", "message": "Authenticated"}

This example sets a secure authentication token cookie that: - Is only sent to paths starting with /api - Cannot be accessed by JavaScript (HttpOnly) - Is only sent over HTTPS connections (Secure) - Is never sent in cross-site requests (SameSite=Strict) - Expires after one hour (3600 seconds)

Summary

The Set-Cookie response header is a fundamental component of web application state management. By allowing servers to store data on the client side, cookies enable persistent sessions, personalization, and tracking capabilities that would otherwise be impossible in the stateless HTTP protocol. When implementing cookies, it's important to use appropriate security attributes (HttpOnly, Secure, SameSite) to protect sensitive data, and to be mindful of privacy regulations that may require user consent for certain types of cookies. With the growing focus on user privacy and security, proper cookie implementation is increasingly important for both compliance and user trust.