Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape. There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field … Read more
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as “Historic”) and formalizes the syntax for real-world usages of cookies. It clearly states: Introduction … For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a … Read more
One approach, which avoids iterating over an array, would be: function getCookie(name) { const value = `; ${document.cookie}`; const parts = value.split(`; ${name}=`); if (parts.length === 2) return parts.pop().split(‘;’).shift(); } Walkthrough Splitting a string by token will produce either, an array with one string (same value), in case token does not exist in a string, … Read more
Improved Persistent Login Cookie Best Practice You could use this strategy described here as best practice (2006) or an updated strategy described here (2015): When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie. The login cookie contains a series identifier and … Read more
First of all, REST is not a religion and should not be approached as such. While there are advantages to RESTful services, you should only follow the tenets of REST as far as they make sense for your application. That said, authentication and client side state do not violate REST principles. While REST requires that … Read more
If you set a cookie like this: Set-Cookie: name=value then the cookie will only apply to the request domain, and will only be sent for requests to the exact same domain, not any other subdomains. (See What is a host only cookie?) Two different domains (e.g. example.com and subdomain.example.com, or sub1.example.com and sub2.example.com) can only … Read more
I find the following code to be much simpler than anything else: function setCookie(name,value,days) { var expires = “”; if (days) { var date = new Date(); date.setTime(date.getTime() + (days*24*60*60*1000)); expires = “; expires=” + date.toUTCString(); } document.cookie = name + “=” + (value || “”) + expires + “; path=/”; } function getCookie(name) { … Read more
This is an extremely broad scope question, and a lot of the pros/cons will be contextual to the situation. In all cases, these storage mechanisms will be specific to an individual browser on an individual computer/device. Any requirement to store data on an ongoing basis across sessions will need to involve your application server side … Read more
You should implement a session timeout of your own. Both options mentioned by others (session.gc_maxlifetime and session.cookie_lifetime) are not reliable. I’ll explain the reasons for that. First: session.gc_maxlifetime session.gc_maxlifetime specifies the number of seconds after which data will be seen as ‘garbage’ and cleaned up. Garbage collection occurs during session start. But the garbage collector … Read more
Update April 2019 jQuery isn’t needed for cookie reading/manipulation, so don’t use the original answer below. Go to https://github.com/js-cookie/js-cookie instead, and use the library there that doesn’t depend on jQuery. Basic examples: // Set a cookie Cookies.set(‘name’, ‘value’); // Read the cookie Cookies.get(‘name’) => // => ‘value’ See the docs on github for details. Before … Read more