Set-Cookie field

Set-Cookie asks a user agent to store one cookie with explicit attributes.

  • cookies
  • fields
  • browser compatibility

Meaning

Each Set-Cookie field asks a user agent to store one cookie. It is not a comma-combinable list field, because the Expires attribute itself contains a comma.

Set-Cookie: session=opaque; Path=/; Secure; HttpOnly; SameSite=Lax

Expected result: a supporting browser stores a host-only cookie for secure requests across the host path, with script access disabled and Lax same-site processing. Storage can still be rejected by browser policy.

Attributes

Domain expands host matching to accepted subdomains; omitting it creates a host-only cookie. Path filters request paths but is not an isolation boundary. Max-Age or Expires controls persistence. Secure, HttpOnly, and SameSite apply separate transport, API-access, and site-context rules.

Common mistake

The later Cookie request field sends selected name/value pairs, not the original attributes. A server cannot infer Secure, HttpOnly, Path, or SameSite from Cookie alone.

Primary sources