Q22: Cookie Policy Header

[00:00:00]
>> Question 22, almost done, eight left. What statements are true about the following cookie header? This cookie is accessible from www.website.com, but not from blog.website.com. This cookie can only be set client-side on the website.com domain. This cookie gets treated like a session cookie. Or this cookie will be sent when navigating from another website to www.website.com.

[00:00:28]
So the right answer is C, this cookie gets treated a session cookie, and D, this cookie will be sent when navigating from another website to www.website.com. So let's see why. So first we, I mean, we've set my cookie value I won't explain that part, but then we also set the domain.

[00:00:46]
And this kind of means that the cookie will be accessible on website.com but also its subdomains, right? It's just that domain. If the domain attribute was not specified, this cookie would only be available on the exact domain that that cookie set. So where that request came from, the cookie is then set on just that domain.

[00:01:06]
But in this case we do specify it, so it's also available on the subdomains. Next we set secure, which really just means that this cookie should only ever be transmitted over HTTPS. So this helps prevent the cookie from being intercepted by an attacker, men in the middle, all that stuff.

[00:01:26]
And next we have HTTP only, which means that we cannot access this cookie client site. So we cannot use document.cookie. It will only be included in HTTP requests. So the server can have it, but we cannot access it on the client. So then there are other things, cuz if we sometimes do not specify certain things, like same sites, then it will default back to lax.

[00:01:47]
I never know if you'd pronounce it lax or L-A-X, I'll just say lax, which essentially means that this cookie will be sent from top level navigations to that site. So if we were on other website.com and we type website.com, in that request, the cookie will still be set.

[00:02:03]
And this is just nice, cuz if you wanna see if a user is already authenticated, the user wouldn't have to reload that page to then get that authentication, because then it will be set on the same site. But that only applies to those top level navigations. And as long as it's a get request and the connection is secure, so if you're using HTTPS.

[00:02:24]
You also have same site, None, which basically says that you, any website can have it, or same Site Strict which only allows the cookie to be read by the same site. So only if the request is the same origin request, then it'll be included in that request. But in this case, lax is kind of the most intuitive one when you haven't navigate to the site from another site, tab level navigation then it is included.

[00:02:48]
Next, we have yes A is false, a cookie is accessible from www.website.com and not from blog. This is false because we set the domain, which also means it's available on subdomains. [LAUGH] The cookie can only be set client-side on the website.com domain. It cannot be set client-side at all, because we have the HTTP only.

[00:03:08]
So this is false. This cookie gets treated a session cookie is also true. And this is one of those other default behaviors, is when we don't set an expire or a max age, it will just get treated a session cookie. So as long as the user has opened a browser and stuff that, will this cookie live.

[00:03:24]
And this cookie will be sent when navigating from another website to website.com, that's true as we just saw it with the same site lax, which is the default if you don't specify any same site attributes.