Some commonly asked questions are: To understand these limits, let’s first look at what the official specification, i.e., RFC 6265 has to say. According to it, a browser must provide a minimum of the following: We know the minimum limits now. As far as maximum limits are concerned, it doesn’t really matter because each browser […]

It is often discussed where should one store authentication or other sensitive tokens – in cookies or localStorage? I think either of the two can be chosen as long as one understands the differences between them across certain aspects like storage, communication, cross-site and cross-origin access and security. Note: We will not consider using sessionStorage […]

If you’ve been struggling with sending or receiving cookies with your cross-origin fetch() requests (CORS), then make sure you’re adhering to each of the following points:

The SameSite attribute of cookies controls how they are sent in cross-site (slightly different from cross-origin) requests in web browsers through which we can reduce the risk of cross-site request forgery (CSRF) attacks and hence enhance user privacy and security. Before looking at the different values we can pass to this attribute, please read this […]

If you are running multiple apps on localhost across different subdomains (foo.localhost, bar.localhost, etc.) and want to set a cookie on one domain that is accessible from another subdomain, then you will have to watch out for a couple of things. Setting a Cookie with Domain=.localhost or Domain=localhost (since the dot notation is deprecated) will […]