Stage 7. Cookies
A cookie is a small piece of state that a server gives to the browser, and the browser later attaches to matching HTTP requests automatically. The model sounds simple, but production behavior depends on domain rules, protocol, security attributes, cross-site context, and proxy/CDN topology.
The basic lifecycle is straightforward: server sends Set-Cookie, browser stores value + attributes, then browser decides when to include it in outgoing requests. Importantly, this decision is made by browser policy, not endpoint code. That is why backend can be correct while cookie behavior still appears inconsistent.
Set-Cookie: sid=abc123; Path=/; HttpOnly; Secure; SameSite=Lax
Each cookie attribute has concrete operational impact. HttpOnly prevents JavaScript reads and reduces token theft risk in XSS scenarios. Secure restricts transmission to HTTPS. SameSite controls cross-site behavior and strongly affects login flows. Domain and Path define scope. Most "auth randomly disappears" incidents come from incorrect combinations of these settings.
Cookie deletion is another common trap. Browser removes the right cookie only if deletion uses matching scope attributes. If logout response uses different Path or Domain, old cookie may survive silently and keep being sent.
Set-Cookie: sid=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Lax
Teams also underestimate environment differences. Local development often uses single origin and relaxed setup; production adds HTTPS, subdomains, gateways, and stricter browser behavior. Cookie policy that is untested in production-like conditions frequently fails after release.
From a security perspective, cookie value should not carry sensitive business data in plaintext. Typical pattern is storing a short session identifier or technical token while sensitive state remains server-side. Logging policy matters too: raw cookie values should be masked in logs and traces.
A shared cookie standard helps prevent repeated defects. Define mandatory attributes, allowed TTL ranges, rotation strategy, deletion symmetry, and log-safety rules. This small governance step has outsized operational impact.
Practical scenario
A team implemented logout with Max-Age=0 but omitted the original Path. UI showed "logged out," yet some users remained effectively authenticated. Root cause: browser kept the original scoped cookie. After making set/delete attributes symmetric, the issue disappeared. The lesson is clear: in cookie systems, small attribute details decide real-world behavior.