Format

Set-Cookie: name=value[; expires=date][; domain=domain][; path=path][; secure][; HttpOnly]

• expires option
  • indicates when the cookie should no longer be sent to the server
  • format:

    expires=Wdy, DD-Mon-YYYY HH:MM:SS GMT

  • if expires is not set, the cookie is deleted when the browser is closed (session cookie).

• domain option
  • indicates the domain(s) for which the cookie should be sent.
  • default domain is the name of the host setting the cookie.
  • the domain option allows widening the number of domains the cookie will be returned to. For instance, a domain of google.com would cause the cookie to be returned for www.google.com, etc.
  • format:

    domain=google.com

• path option
  • indicates the URL path for which the cookie will be returned.
  • default is the URL that set the cookie.
• secure option
  • flag indicating the cookie is to be returned only when SSL and HTTPS are being used.
• HttpOnly option
  • If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party. If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script

Cookies are manipulated in JavaScript using the document.cookie property.

---

Resources
RFC 6265 HTTP State Management Mechanism (text)
RFC 6265 HTTP State Management Mechanism (HTML)
HTTP Cookies Explained