Understanding Set-Cookie Response Header

admin

4 years ago

Table of Contents

Overview of Set-Cookie Response Header

The web server can send the Set-Cookie header back to the client or browsers or any other user agent. The client is then supposed to store this cookie at its end. This client will send this cookie to the server on each request.

You can read about HTTP cookie in general here – https://en.wikipedia.org/wiki/HTTP_cookie

Below is the syntax of the Set-Cookie header

Set-Cookie: =; Expires={some_date}; Max-Age={some_integer}; Domain={some_domain}; Path={some_path}; 
SameSite={Strict/Lax/None}

Below are the fields of the Set-Cookie header. These fields are joined by ‘;’ to create the final Set-Cookie header value

name=value – This is the name-value pair that denotes the <cookie-name> and <cookie-value>. Name and Value separated by ‘=’. This is a mandatory field of a cookie. All other fields are optional fields

Expires={some_date} – It specifies the max lifetime of a cookie. It is in date format and the cookie will expire after that.

Max-Age={some_integer} – it represents the number of seconds after which the cookie will expire. Max-Age has precedence if both Expires and Max-Date is specified

Domain={some_domain} – It specifies the domain to which the request will be sent

Path={some_path} – The path to exist in the requested URI for the client to send the cookies. If the path does not match the requested URI, the client will not send the cookie. The higher level path matches the lower level path. Hence / will match all paths. While /employee will match /employee, /employee/name, /employee/details

Secure – This flag means that cookie will only be sent to the server if an HTTPS request is made

HttpOnly – With this flag on, javascript will not be able to access the cookie. This is to prevent CSRF attacks

SameSite=Strict or Lax or None – This option controls whether the cookies can be sent when the browser makes a cross-origin call.

As mentioned above these fields can be combined using ‘;’ to create the final Set-Cookie header. An important thing to note here is that the client will only send the name-value pair back to the server for subsequent calls to the server. All other options are for client only. Other important point to note is that server can also send multiple Set-Cookie header in the response. All the name-value pair in all the Set-Cookie response header will be send to the server in subsequent calls.

Examples

Here are some samples of Set-Cookie header

Only name-value pair

show_pop=true

name-value pair with Expires field

show_pop=true; Expires=Tues, 27 Nov 2016 07:45:00 GMT

name-value pair with other fields

show_pop=true; Expires=Tues, 27 Nov 2016 07:45:00 GMT; Domain=foo_test.com; SameSite=Strict

Program

Let’s see the Set-Cookie header in action. We will see the example in golang. For that first create a golang server listening on port 8080. Create two APIs

localhost:8080/doc – In this API the server will set the Set-Cookie header in the response. We are going to make this call from the browser. The browser is going to save this cookie at its end. The browser will then send the same cookie back to the server for any other request to localhost:8080

localhost:8080/doc/id – This is the example API to demonstrate that browser actually sends the same cookie in request which in received in response in the Set-Cookie header

Let’s first create a server

go.mod

module sample.com/learn

go 1.16

main.go

package main

import (
	"fmt"
	"net/http"
)

func main() {
	docHandler := http.HandlerFunc(docHandler)
	http.Handle("/doc", docHandler)

	docGetID := http.HandlerFunc(docGetID)
	http.Handle("/doc/id", docGetID)

	http.ListenAndServe(":8080", nil)
}

func docHandler(w http.ResponseWriter, r *http.Request) {
	cookie := &http.Cookie{
		Name:   "id",
		Value:  "abcd",
		MaxAge: 300,
	}
	http.SetCookie(w, cookie)
	w.WriteHeader(200)
	w.Write([]byte("Doc Get Successful"))
	return
}

func docGetID(w http.ResponseWriter, r *http.Request) {
	c, _ := r.Cookie("id")
	fmt.Println(c)
	w.WriteHeader(200)
	w.Write([]byte("Doc Get ID Successful"))
	return
}

See in the above code we have two APIs as discussed above. Run the above program using

go run main.go

The server will start running on port 8080

Now make the API call localhost:8080/doc from a browser. The server is sending below Set-Cookie in the response

Set-Cookie: id=abcd; Max-Age=300

Same is also visible in the response headers of the API call. See screenshot below

Now let’s make the other API call from a different tab. Notice that same cookie is send back in the response. Also note that only name-value pair is send back as we mentioned above in the article

Checkout our Golang comprehensive tutorial Series – Golang Comprehensive Tutorial