Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Well done!
You have completed Using Cookies and JWTs for Secure Authentication!
You have completed Using Cookies and JWTs for Secure Authentication!
Preview
We've set and retrieved a basic cookie, but we haven't removed our cookie yet. We also haven't used any of the additional settings that limit access to our cookies. Let's take a look at the settings we'll be working with.
Cookie Settings
Name | Value |
---|---|
Expiration Date | default 0 |
The Expiration Date tells the browser how long to store the cookie. This is a full date and time in UTC. When it is past the expiration date the cookie is removed. This is used both to delete a cookie, such as when a user logs out, and also to keep a cookie active after the browser has been closed | using the browser setting for cookie expiration, which typically means the cookie is removed when the browser is closed. |
Path | default '/' |
The Path restricts when a cookie is sent to the server. For example, if we wanted to store information that is only used in an admin section, we could set the path to '/admin' | The default is the root of the domain, which allows the cookie to be access for the entire site. |
Domain | default full host |
Including any subdomain. This will make the cookie available only to that single subdomain. If a root level domain is specified, all subdomains will also be able to access the cookie. | |
Secure | default false |
Adding the Secure parameter makes sure the cookie can only be transmitted securely over HTTPS, and it will not be sent over unencrypted HTTP connections | By default, this parameter is not sent |
HttpOnly | default true |
The HttpOnly parameter makes cookies inaccessible via the document.cookie API, so they are only editable by the server | By default, the HTTP foundations plugin we're using, does send this parameter |
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
We've set and retrieved a basic cookie,
but we haven't removed our cookie yet.
0:00
We also haven't used any of the additional
settings that limit access to our cookies.
0:06
Let's take a look at the settings
that we'll be working with.
0:11
The expiration date tells the browser
how long to store the cookie.
0:14
This is a full date and time in UTC.
0:19
When it is past the expiration date,
the cookie is removed.
0:22
This is used to both to delete a cookie,
such as when a user logs out, and
0:26
also to keep a cookie active after
the browser has been closed.
0:30
The default is 0, using the browser
setting for cookie expiration,
0:35
which typically means that the cookie
is removed when the browser is closed.
0:39
The path restricts when
a cookie is sent to the server.
0:44
For example, if we wanted to store
information that is only used
0:49
in an admin section,
we could set the path to /admin.
0:53
The default is the root of the domain,
which allows the cookie to be accessed for
0:58
the entire site.
1:02
The default for the domain is the full
host, including any subdomain.
1:04
This will make the cookie available
only to that single subdomain.
1:10
If a root level domain is specified,
1:14
all subdomains will also be
able to access that cookie.
1:17
The last two settings we're going
to be using are single parameters,
1:22
not a key value pair.
1:26
They're either sent to the cookie or not.
1:28
Adding the secure parameter makes
sure the cookie can only be
1:31
transmitted securely over HTTPS, and
1:36
it will not be sent over
unencrypted HTTP connections.
1:39
By default, this parameter is not sent.
1:44
The HttpOnly parameter makes
cookies inaccessible via
1:48
the document.cookie API, so
they are only editable by the server.
1:53
By default, the HTTP foundations plug-in
that we're using does send this parameter.
1:59
Let's jump back into our project and
start using these new settings.
2:07
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up