When cookies first appeared in 1994, they were completely allowed by browsers and their usage depended entirely on what developers had in mind. However, a few years after that, due to concerns about privacy and tracking, web developers were advised to obey some practices that make cookie usage safer. Nowadays, some practices are even required by law.
Here we’ll discuss a simple list of dos and dont’s, or in other words, what makes a cookie a good cookie.
- No sensitive data should be stored inside cookies. If data such as personal addresses, ID card numbers, bank card numbers, and so on needs to be stored somewhere, cookies aren’t the solution;
- Developers should keep the cookie existing no longer than it’s required. Using session cookies instead of persistent ones and setting an appropriate expiration date for persistent cookies are practices preventing from keeping data for unnecessarily long periods of time;
- Cookies used for unsubscription purposes should have an expiration date of at least five years;
- Security-related cookie attributes must be set properly:
- Flagging the cookie with Secure assures that this cookie won’t be transmitted by HTTP protocol but only by HTTPS. However, in order for that to work properly, developers need to check is the SSL certificate is installed properly and the website contains no mixed content (resources loaded through HTTP);
- Flagging the cookie as SameSite guarantees that this cookie won’t be transmitted to any other website but the website it originates from.