# Cookies (RFC 6265)

ASCII text created by the server and sent to the client.

* HTTP Header - Set-Cookie: VALUE.

Stored in the clients’ cookie jar.

* A file or simple database.
* The client may freely delete (or edit) cookies.

Client resends the **Cookie** header to servers.

* In every request made for which there is a compatible cookie.
* Format is: **Cookie: VALUE**

Server can keep context using the cookie provided.

1. Receives a Cookie from the client.
   1. Cookie can contain the session identifier.
2. Fetches context (session).
3. Provides a customized answer

Cookies are used as a token enabling authorization.

* When set as the result of an authentication process.
* Allow obtaining the identity associated with the request.

Loosing a Cookie opens the door to *impersonation*.

Cookie scope and lifetime are set by the server in the client response.

```
Set-Cookie: <nome-cookie>=<valor-cookie>
Set-Cookie: <nome-cookie>=<valor-cookie>; Expires=<date>
Set-Cookie: <nome-cookie>=<valor-cookie>; Max-Age=<non-zero-digit>
Set-Cookie: <nome-cookie>=<valor-cookie>; Domain=<domain-value>
Set-Cookie: <nome-cookie>=<valor-cookie>; Path=<path-value>
Set-Cookie: <nome-cookie>=<valor-cookie>; Secure
Set-Cookie: <nome-cookie>=<valor-cookie>; HttpOnly
Set-Cookie: <nome-cookie>=<valor-cookie>; SameSite=Strict
Set-Cookie: <nome-cookie>=<valor-cookie>; SameSite=Lax
```

Client -> Server.

* No cookie sent.

Server -> Client.

* `Set-Cookie: MoodleSession=0r6mroovg98o338clahfd177g0; path=/`

Client -> Server.

* `Cookie: MoodleSession=0r6mroovg98o338clahfd177g0`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/analysis-and-exploration-of-vulnerabilities/broken-authentication/cookies-rfc-6265.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.