Introduction to HTTP Cookies

May 9, 2021

I heard the british use biscuits instead of cookies...weird.

What are Cookies

Cookies, more properly called HTTP cookies, are small bits of data stored as text files on a browser. Cookies associate bits of data to a specific user. Cookies are mainly used for three purposes:

Session management

Logins, game scores, or anything else the server should remember.


User preferences, themes, and other settings. For example, a user's preferences such as language and preferred theme could be saved for future sessions.


Recording and analyzing user behavior. When a user visits a shopping website and searches for an item, the item gets saved in their browser history. Cookies can read browsing history so similar are shown to the user next time they visit.

Types of Cookies

Session cookies

Session cookies, also known as 'temporary cookies', help websites recognise users and the information provided when they navigate through a website. Session cookies only retain information about a user's activities for as long as they are on the website. Once the web browser is closed, the cookies are deleted.

Permanent cookies

Permanent cookies are also known as 'persistent cookies'. They remain in operation even after the web browser has closed. For example they can remember login details and passwords so web users don't need to re-enter them every time they use a site.

Third-party cookies

Third-party cookies are installed by third-parties with the aim of collecting certain information from web users to carry out research into, for example, behaviour, demographics or spending habits. They are commonly used by advertisers who want to ensure that products and services are marketed towards the right target audience.

Flash cookies

Flash cookies are also known as 'super cookies'. They are independent from the web browser. They are designed to be permanently stored on a user's computer. These types of cookies remain on a user's device even after all cookies have been deleted from their web browser.

Zombie cookies

Zombie cookies are a type of flash cookie that are automatically re-created after a user has deleted them. This means they are difficult to detect or manage. They are often used in online games to prevent users from cheating, but have also been used to install malicious software onto a user's device.

Secure Cookies

Only HTTPS websites can set secure cookies, i.e., cookies with encrypted data. Mostly, the checkout or payment pages of e-commerce websites have secure cookies to facilitate safer transactions. Similarly, online banking websites are required to use secure cookies for security reasons.

Creating Cookies with Vanilla JavaScript

NOTE: For the code below to work, your browser has to have local cookies support turned on.

JavaScript can create, read, and delete cookies with the document.cookie property.With JavaScript, a cookie can be created by setting a cookie-name and cookie-value as shown below.

document.cookie = "username=LindaOjo";

The cookie-name above is username and it's corresponding value is LindaOjo

You can also add an expiry date (in UTC time). By default, the cookie is deleted when the browser is closed:

document.cookie = "username=LindaOjo; expires=Wed, 1 Oct 2022 12:00:00 UTC";

With a path parameter, you can tell the browser what path the cookie belongs to. By default, the cookie belongs to the current page.

document.cookie = "username=LindaOjo; expires=Wed, 1 Oct 2022 12:00:00 UTC; path=/";

Handling Cookies using just vanilla JavaScript can get tedious real quick that's why I prefer using the JavaScript Cookie Package

Handling Cookies with JavaScript Cookie Package

JavaScript Cookie is a simple lightweight JavaScript API for handling cookies. It works on all browsers, accepts any character, heavily tested and requires no dependency. Awesome!


Run the command below in your root folder.

npm install js-cookie --save

Cookie Attributes

  • Expire: define when the cookie will be removed. Value can be a Number which will be interpreted as days from time of creation or a Date instance.

  • Path: a String indicating the path where the cookie is visible.

  • Domain: a String indicating a valid domain where the cookie should be visible. The cookie will also be visible to all subdomains.

  • Secure: Either true or false, indicating if the cookie transmission requires a secure protocol (https).

Create a cookie

We can create a cookie that valid across the entire website by providing the name and the value as shown below.

import Cookies from 'js-cookie'; Cookies.set('name', 'value');

We can specify how long it takes for a cookie to expire by passing an object that contains the number of days before expiration as the third argument in the Cookie.set method. The cookie that's created below expires after 7 days. By default, a cookie is removed when the user closes the browser.

import Cookies from 'js-cookie'; Cookies.set('name', 'value', { expires: 7 });

Next,We can create an secure expiring cookie that's only valid to the path of the current page. The path is add to the previous Object which contains the expiration date.

Cookies.set('name', 'value', { expires: 7, path: '', secure: true });

Read cookie

The point of creating cookies is so we can use them later. We can access already existing cookies using the Cookie.get method. Let's create and read a real cookie called 'theme'.

import Cookies from 'js-cookie'; Cookies.set('theme', 'dark'); Cookies.get('theme') // => 'dark'

You can also update a cookie by overriding it's value

Cookies.set('theme', 'light');

Now the theme cookie has a value of 'light'. We can get all cookies present at once by calling Cookies.get method without passing in any arguments. An object containing all cookies is returned in this case.

Cookies.get(); // => { theme: 'light' }

Delete cookie

You can delete cookies that are globally accessible running the Cookie.remove method with just the first argument which is value


Note: when deleting a cookie and you are not relying on the default attributes, you must pass the exact same path and domain attributes that were used to set the cookie. Let us set and delete a cookie valid to the path of the current page as an example.

Cookies.set('direction', 'north', { path: '' }); Cookies.remove('direction'); // fail! Cookies.remove('direction', { path: '' }); // removed!

That's a wrap! This is a simple introduction to HTTPS Cookies,I trust you learnt a lot.

Created by Linda Ojo Taiwo