Observe a bounded cookie lifecycle
Observe cookie creation, request selection, and cleanup as separate browser steps.
- cookies
- browsers
Prediction
A stored cookie is sent only when request scope and browser context match its attributes. Cleanup should expire only the fixed scenario cookie.
Controlled observation
Run the three choices in order. Set asks the browser to store one fixed cookie;
check reports whether that pair was selected for a matching request; clear sends
the same scope with Max-Age=0. The browser request uses credentials: include
and the Worker returns one exact origin plus
Access-Control-Allow-Credentials: true.
Explanation
Cookie scope does not use the same tuple as origin, and CORS does not force a cookie to be stored or sent. HTTPClarity and its Lab are different origins but same-site HTTPS subdomains. This exercise therefore demonstrates only that reviewed same-site context; it makes no cross-site or third-party-cookie claim.
Reset changes the displayed choice but deliberately does not modify browser storage. Run the clear choice to remove the fixed cookie.
Controlled exercise
Run this observation
Run set, check, and clear in order to separate Set-Cookie receipt, browser selection, Cookie sending, and deletion.
Ready. No request has run.
Controlled request
- Method
- POST
- URL
https://lab.httpclarity.com/v1/cookies/set- Permitted headers
- None
- Body
- None
Browser-observed response
No live response yet. The representative static example remains useful without JavaScript or the Worker.
Static response example
HTTP/1.1 200 OK
Set-Cookie: httpclarity_lab=demo; Max-Age=300; Path=/v1/cookies; Secure; HttpOnly; SameSite=Lax
Access-Control-Allow-Credentials: true
{"action":"set","scenario":"cookies"}Timing is browser elapsed time. Fetch hides Set-Cookie, raw wire bytes, reliable compressed size, and some redirect details.
Portable examples
'curl' '--include' '--cookie-jar' '.httpclarity-cookies.txt' '--request' 'POST' 'https://lab.httpclarity.com/v1/cookies/set'const response = await fetch("https://lab.httpclarity.com/v1/cookies/set", {
"method": "POST",
"credentials": "include"
});
console.log(response.status, await response.text());<?php
$options = ['http' => [
'method' => 'POST',
'ignore_errors' => true,
]];
$context = stream_context_create($options);
$body = file_get_contents('https://lab.httpclarity.com/v1/cookies/set', false, $context);
var_dump($http_response_header, $body);Need a full API client? Copy the generated cURL command, then import it in Hoppscotch. HTTPClarity sends no request data to Hoppscotch.
Continue in Hoppscotch (opens in a new tab)Primary sources
- RFC 6265 — HTTP State Management Mechanism (rfc)
- Current HTTP Working Group cookie specification draft (primary documentation)
