Cookies are one of the main technologies of the internet. Session, user settings, key values — everything is stored in cookies. But if every cookie is not configured correctly, this can be a security hole. Modern browsers and web standards offer several protection mechanisms for cookies.
HttpOnly flag — protection from JavaScript
An HttpOnly cookie cannot be read through JavaScript. Why is this important? If there is an XSS vulnerability on your site, the attacker will read the session cookie through document.cookie and hijack the user's session. If the HttpOnly flag is set, even with XSS, JavaScript cannot access this cookie. In PHP this is enabled through setcookie or session.cookie_httponly=1 setting. HttpOnly is mandatory on every session and authentication cookie.
Secure flag — HTTPS mandatory
A cookie with Secure flag set is only sent over HTTPS. If the request goes over HTTP, the browser does not add this cookie. Why is this needed? If the user is on public WiFi and an attacker is listening to the network, a cookie sent over HTTP is visible in plain text. The Secure flag prevents this. Nowadays all cookies should be Secure because HTTPS is now standard.
SameSite=Strict
A SameSite=Strict cookie is only sent on requests from the same site. Even when clicking a link from another site, the cookie is not added. This is the strongest protection against CSRF attacks. But it affects user experience: if the user clicks a link in an email and enters the site, even if logged in, they will appear as unauthorized.
SameSite=Lax
SameSite=Lax is a balance between Strict and old behavior. The cookie is sent in most cases but not when submitting a POST form or inside an iframe. This protects from most CSRF attacks but does not disrupt user experience. In modern browsers SameSite=Lax is used as standard.
SameSite=None
A SameSite=None cookie is sent on any cross-site request. This is old behavior. If SameSite=None is used, the Secure flag is also mandatory — browsers require this.
Sayt.uz practice
On the Sayt.uz platform all cookies are set with Secure, HttpOnly and SameSite=Lax flags. Separate Path setting is applied for admin and cabinet cookies. By hosting your site on Sayt.uz, Secure cookies are fully applied through a free SSL certificate.