Link to this headingCookies
Link to this headingUnusual Cookies
- Standard HTTP Cookies
- HTTP Strict Transport Security (HSTS) Pinning
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out - Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
- HTML5 IndexedDB
- Java JNLP PersistenceService
- Java CVE-2013-0422 exploit (applet sandbox escaping)
- Caching in HTTP Authentication
- Using Java to produce a unique key based off of NIC info
- Google Gears
Link to this headingChanges to Cookies
Google Chrome
Link to this headingExpires Flag
- Uses a finite date to expire a cookie. Ex.
Expires=Wed, 21 Oct 2015 07:28:00 GMT - If this is not set then the cookie expires when the session is closed.
- If a browser session is restored as part of a option by the browser then the session is never closed.
Link to this headingMax-Age Flag
- Used to set an auto expiration client side of the cookie.
- This is done in the number of seconds that it is valid for
- If both Expires and Max-age flags are set Max-age has priority
Link to this headingDomain Flag
- If the domain flag is not set then the current full domain not including subdomains is set.
- It is not possible to set more than one host/domain values are not allowed,
- If a domain is manually specified in then all subdomains are included
Link to this headingPath Flag
- Specify only a certain directory and subdirectory with this attribute
Link to this headingSecure Flag
- http sites cannot set https headers
- only sent if the server is using SSL/TLS
Link to this headingHttpOnly Flag
- Restricts JavaScript from accessing the cookie
- This cookie will still be sent with JavaScript-initiated requests
Link to this headingSameSite Flag
Same site also includes subdomains.
google.com cookies will work for mail.google.com
HTTP External Endpoint:
| IFRAME/IMG | XS GET | XS POST | XS PUT/DELETE/ETC | XS HEAD | |
|---|---|---|---|---|---|
| Secure & SameSite=None | No | No | No | No | No |
| no SameSite | No | Yes | Yes (for 2 mins) | Yes (for 2 mins) | Yes |
| SameSite=invalid | No | Yes | Yes (for 2 mins) | Yes (for 2 mins) | Yes |
HTTPS External Endpoint:
| IFRAME/IMG | XS GET | XS POST | XS PUT/DELETE/ETC | XS HEAD | |
|---|---|---|---|---|---|
| Secure & SameSite=None | Yes | Yes | Yes | Yes | Yes |
| no SameSite | No | Yes | Yes (for 2 mins) | Yes (for 2 mins) | Yes |
| SameSite=invalid | No | Yes | Yes (for 2 mins) | Yes (for 2 mins) | Yes |