Set-Cookie field
Set-Cookie asks a user agent to store one cookie with explicit attributes.
- cookies
- fields
- browser compatibility
Meaning
Each Set-Cookie field asks a user agent to store one cookie. It is not a
comma-combinable list field, because the Expires attribute itself contains a
comma.
Set-Cookie: session=opaque; Path=/; Secure; HttpOnly; SameSite=Lax
Expected result: a supporting browser stores a host-only cookie for secure requests across the host path, with script access disabled and Lax same-site processing. Storage can still be rejected by browser policy.
Attributes
Domain expands host matching to accepted subdomains; omitting it creates a
host-only cookie. Path filters request paths but is not an isolation boundary.
Max-Age or Expires controls persistence. Secure, HttpOnly, and SameSite
apply separate transport, API-access, and site-context rules.
Common mistake
The later Cookie request field sends selected name/value pairs, not the original
attributes. A server cannot infer Secure, HttpOnly, Path, or SameSite from Cookie
alone.
Primary sources
- RFC 6265 section 4.1 — Set-Cookie (rfc)
- Current HTTP Working Group cookie specification draft (primary documentation)
