This course will be retired on June 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Using Cookies and JWTs for Secure Authentication

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Cookie Settings

2:11 with Alena Holligan

We've set and retrieved a basic cookie, but we haven't removed our cookie yet. We also haven't used any of the additional settings that limit access to our cookies. Let's take a look at the settings we'll be working with.

Name Value
Expiration Date default 0
The Expiration Date tells the browser how long to store the cookie. This is a full date and time in UTC. When it is past the expiration date the cookie is removed. This is used both to delete a cookie, such as when a user logs out, and also to keep a cookie active after the browser has been closed using the browser setting for cookie expiration, which typically means the cookie is removed when the browser is closed.
Path default '/'
The Path restricts when a cookie is sent to the server. For example, if we wanted to store information that is only used in an admin section, we could set the path to '/admin' The default is the root of the domain, which allows the cookie to be access for the entire site.
Domain default full host
  Including any subdomain. This will make the cookie available only to that single subdomain. If a root level domain is specified, all subdomains will also be able to access the cookie.
Secure default false
Adding the Secure parameter makes sure the cookie can only be transmitted securely over HTTPS, and it will not be sent over unencrypted HTTP connections By default, this parameter is not sent
HttpOnly default true
The HttpOnly parameter makes cookies inaccessible via the document.cookie API, so they are only editable by the server By default, the HTTP foundations plugin we're using, does send this parameter

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    We've set and retrieved a basic cookie, but we haven't removed our cookie yet. 0:00
    We also haven't used any of the additional settings that limit access to our cookies. 0:06
    Let's take a look at the settings that we'll be working with. 0:11
    The expiration date tells the browser how long to store the cookie. 0:14
    This is a full date and time in UTC. 0:19
    When it is past the expiration date, the cookie is removed. 0:22
    This is used to both to delete a cookie, such as when a user logs out, and 0:26
    also to keep a cookie active after the browser has been closed. 0:30
    The default is 0, using the browser setting for cookie expiration, 0:35
    which typically means that the cookie is removed when the browser is closed. 0:39
    The path restricts when a cookie is sent to the server. 0:44
    For example, if we wanted to store information that is only used 0:49
    in an admin section, we could set the path to /admin. 0:53
    The default is the root of the domain, which allows the cookie to be accessed for 0:58
    the entire site. 1:02
    The default for the domain is the full host, including any subdomain. 1:04
    This will make the cookie available only to that single subdomain. 1:10
    If a root level domain is specified, 1:14
    all subdomains will also be able to access that cookie. 1:17
    The last two settings we're going to be using are single parameters, 1:22
    not a key value pair. 1:26
    They're either sent to the cookie or not. 1:28
    Adding the secure parameter makes sure the cookie can only be 1:31
    transmitted securely over HTTPS, and 1:36
    it will not be sent over unencrypted HTTP connections. 1:39
    By default, this parameter is not sent. 1:44
    The HttpOnly parameter makes cookies inaccessible via 1:48
    the document.cookie API, so they are only editable by the server. 1:53
    By default, the HTTP foundations plug-in that we're using does send this parameter. 1:59
    Let's jump back into our project and start using these new settings. 2:07

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up