✨ Earn college credits in Cybersecurity, JS, HTML, CSS and Python

Take our "AI in Tech Jobs" survey and win 3 months free Treehouse!

New No-Code Track! 🚀 New videos dropping every week—start learning today!

🤑 Join the Treehouse affiliate program and earn 25% commission!

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

Well done!

You have completed Using Cookies and JWTs for Secure Authentication!

Sign up for Treehouse Back to Library

Preview

Sign up for Treehouse Continue

Cookie Settings

2:11 with Alena Holligan

We've set and retrieved a basic cookie, but we haven't removed our cookie yet. We also haven't used any of the additional settings that limit access to our cookies. Let's take a look at the settings we'll be working with.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

Name	Value
Expiration Date	default 0
The Expiration Date tells the browser how long to store the cookie. This is a full date and time in UTC. When it is past the expiration date the cookie is removed. This is used both to delete a cookie, such as when a user logs out, and also to keep a cookie active after the browser has been closed	using the browser setting for cookie expiration, which typically means the cookie is removed when the browser is closed.
Path	default '/'
The Path restricts when a cookie is sent to the server. For example, if we wanted to store information that is only used in an admin section, we could set the path to '/admin'	The default is the root of the domain, which allows the cookie to be access for the entire site.
Domain	default full host
	Including any subdomain. This will make the cookie available only to that single subdomain. If a root level domain is specified, all subdomains will also be able to access the cookie.
Secure	default false
Adding the Secure parameter makes sure the cookie can only be transmitted securely over HTTPS, and it will not be sent over unencrypted HTTP connections	By default, this parameter is not sent
HttpOnly	default true
The HttpOnly parameter makes cookies inaccessible via the document.cookie API, so they are only editable by the server	By default, the HTTP foundations plugin we're using, does send this parameter

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

We've set and retrieved a basic cookie, but we haven't removed our cookie yet. 0:00

We also haven't used any of the additional settings that limit access to our cookies. 0:06

Let's take a look at the settings that we'll be working with. 0:11

The expiration date tells the browser how long to store the cookie. 0:14

This is a full date and time in UTC. 0:19

When it is past the expiration date, the cookie is removed. 0:22

This is used to both to delete a cookie, such as when a user logs out, and 0:26

also to keep a cookie active after the browser has been closed. 0:30

The default is 0, using the browser setting for cookie expiration, 0:35

which typically means that the cookie is removed when the browser is closed. 0:39

The path restricts when a cookie is sent to the server. 0:44

For example, if we wanted to store information that is only used 0:49

in an admin section, we could set the path to /admin. 0:53

The default is the root of the domain, which allows the cookie to be accessed for 0:58

the entire site. 1:02

The default for the domain is the full host, including any subdomain. 1:04

This will make the cookie available only to that single subdomain. 1:10

If a root level domain is specified, 1:14

all subdomains will also be able to access that cookie. 1:17

The last two settings we're going to be using are single parameters, 1:22

not a key value pair. 1:26

They're either sent to the cookie or not. 1:28

Adding the secure parameter makes sure the cookie can only be 1:31

transmitted securely over HTTPS, and 1:36

it will not be sent over unencrypted HTTP connections. 1:39

By default, this parameter is not sent. 1:44

The HttpOnly parameter makes cookies inaccessible via 1:48

the document.cookie API, so they are only editable by the server. 1:53

By default, the HTTP foundations plug-in that we're using does send this parameter. 1:59

Let's jump back into our project and start using these new settings. 2:07

You need to sign up for Treehouse in order to download course files.

Sign up

You need to sign up for Treehouse in order to set up Workspace

Sign up