What Is an HTTP Cookie? How Web Sessions Actually Work
A cookie is a small piece of data a website stores in your browser that gets sent back with every subsequent request. Explanation of session cookies, flags, and third-party cookies.
Short answer
A cookie is a small piece of data (typically under 4KB) that a website tells your browser to store, and that your browser automatically sends back to that website with every subsequent request. Cookies are how websites remember you're logged in, what's in your shopping cart, and your language preference.
The round trip
- You log in. Server sends back:
Set-Cookie: session=abc123; HttpOnly; Secure. - Your browser saves
session=abc123for that site. - Every future request to that site automatically includes
Cookie: session=abc123. - The server reads the cookie, looks up session
abc123, knows it's you.
The important flags
| Flag | Effect |
|---|---|
HttpOnly | JavaScript can't read the cookie (document.cookie). Critical for session tokens — prevents XSS from stealing them. |
Secure | Only sent over HTTPS. Always use on anything sensitive. |
SameSite=Strict | Never sent on cross-origin requests. Most secure. |
SameSite=Lax | Sent on top-level navigations only (e.g., clicking a link to your site). Good default. |
SameSite=None | Sent cross-origin. Requires Secure. Needed for cross-site embeds. |
Max-Age=N | Cookie expires in N seconds. Without this, cookie is deleted on browser close ("session cookie"). |
Domain=.example.com | Cookie also sent to subdomains. |
Path=/admin | Cookie only sent to URLs under /admin. |
First-party vs third-party cookies
A first-party cookie is set by the site you're currently on (example.com while visiting example.com). A third-party cookie is set by a domain different from the page (ads.google.com via an ad embedded on example.com). Third-party cookies powered most of the ad-tech tracking web for 20 years; major browsers have now deprecated them (Safari, Firefox by default; Chrome since 2024).
Cookies vs localStorage vs sessionStorage
| Cookie | localStorage | sessionStorage | |
|---|---|---|---|
| Max size | ~4 KB | ~5-10 MB | ~5-10 MB |
| Sent with requests | Yes, automatically | No | No |
| JS readable | Only if not HttpOnly | Yes | Yes |
| Lifetime | Max-Age or session | Until cleared | Until tab closes |
| Use for | Session tokens, server-needed data | App state, preferences | Per-tab temp state |
Common cookie types
- Session cookies — track logged-in state; usually HttpOnly + Secure
- Remember-me cookies — long-lived login persistence
- CSRF tokens — paired with form submissions to prevent cross-site request forgery
- Analytics cookies — Google Analytics'
_gaIDs your browser across visits - Consent cookies — store what cookies you agreed to
Related tools
Cookies that hold JWTs can be decoded with JWT decoder. Cookie values with special characters often use URL encoding. Values are sometimes Base64-encoded — Base64 decoder.
Featured Tools
Try these free tools directly in your browser — no sign-up required.
JWT Decoder
Decode and inspect JSON Web Tokens (JWTs) instantly. View header, payload, and signature without a secret key. Debug authentication tokens safely.
Base64 Encoder / Decoder
Encode text or decode Base64 strings instantly online. Convert between plain text and Base64 encoding for data URLs, authentication headers, and API tokens.
URL Encoder / Decoder
Encode or decode URLs and query strings instantly. Convert special characters to percent-encoding and back for safe URL transmission and debugging.