
Here's a preview from my zine, HTTP: Learn your browser's language!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!

read the transcript!
Cookies are a way for a server to store a little bit of information in your browser.
They’re set with the Set-Cookie
response header, like this:
first request: server sets a cookie
browser, represented by a box with a smiley face: GET /my-cats
server, also represented by a box with a smiley face:
200 OK
Set-Cookie: user = b0rk; HttpOnly
<response body>
(user
is the name, b0rk
is the value. HttpOnly
is the cookie options (expiry goes here))
Every request after: browser sends the cookie back
browser:
GET /my-cats
Cookie: user= b0rk
server, thinking: oh, this is b0rk! I don’t need to ask them who they are then!
Cookies are used by many websites to keep you logged in. Instead of user=b0rk
they’ll set a cookie like sessionid=long-incomprehensible-id
. This is important because if they just set a simple cookie like user=b0rk
, anyone could pretend to be b0rk by setting that cookie!
Designing a secure login system with cookies is quite difficult— to learn more about it, google “OWASP Session Management Cheat Sheet”.