Cookies¶
Tools¶
flask-unsign¶
Sign Cookie (Legacy)
flask-unsign --sign --cookie "<plaintext_json_cookie>" --secret 'secret_key' --legacy
Cookie Flags¶
Expires & Expires¶
- By default a cookie lifespan lasts one session, which is traditionally until a browser closes. Modern browsers might hold onto a cookie longer than that.
- Set the shortest reasonable cookie life span for maxmimum security
Domain¶
- By default a cookie will only be shared with the subdomain that it was generated from.
- The domain flag allows you to change the scope of where the cookie shared. If the domain get changed from the subdomain to the root domain then every subdomain of that root will have access to the cookie.
Path¶
- By default a cookie is only shared with the web path that generated it.
- The path parameter can be used to modify the scope of the web path that has access to the cookie. If the path parameter gets set to / (root) then every path on the website will get access to the cookie.
Secure¶
- By default cookies can be sent over HTTP and HTTPS.
- The secure flag will only allow cookies to be sent over HTTPS.
HttpOnly¶
- Makes the cookie inaccessible to client side scripts. If a browser does not support the HttpOnly flag then the cookie will still be accessible by scripts.
SameSite¶
- When browsing to a website that pulls resources from other websites your browser can send any cookies you have for those websites.
- This flag will alter that behavior based on one of it's three values: Strict, Lax, and None
Strict¶
The web request origin must come from you every time.
Lax¶
The web request can be cross-origin if it is an HTTP GET request and you are navigating to the root directory. Cookies will not be sent when a website loads images or something else from an external site that you have cookies
None¶
Cookies will always be sent. If None is set then Secure must also be set or the cookie will not be sent.