Application Security · Flashcard

Which flags should be set on session cookies?

  • AHttpOnly, Secure, and SameSite — blocking scripts, forcing HTTPS, and mitigating CSRF
  • BDomain, Path, and Max-Age — scoping the cookie's reach and controlling its lifetime
  • CPriority, Partitioned, and Size — tuning how the browser stores the cookie on disk
  • DPublic, Private, and no-store — the cache-control directives applied to the cookie

Why this is the answer

These three flags block script access to reduce XSS theft, force HTTPS, and mitigate CSRF — Domain, Path, and Max-Age only scope reach and lifetime, Priority, Partitioned, and Size tune storage, and Public, Private, and no-store are Cache-Control directives rather than cookie security flags.

Official docs
Study in Gnoseed →