# Cookies Hacking
βοΈ HackTricks Cloud βοΈ -π¦ Twitter π¦ - ποΈ Twitch ποΈ - π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
## Cookies Attributes
### Expires & Max-Age
* `Expires` sets an expiry date for when a cookie gets deleted
* `Max-age` sets the time in seconds for when a cookie will be deleted **(use this, itβs no longer 2009)**
### **Domain**
The `Domain` attribute specifies **which hosts can receive a cookie**. If unspecified, the attribute **defaults** to the **same host** that set the cookie, _**excluding subdomains**_. **If `Domain` is** **specified**, then **subdomains are always included**. Therefore, specifying `Domain` is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
For example, if you set `Domain=mozilla.org`, cookies are available on subdomains like `developer.mozilla.org`. But if you don't, the cookie won't be sent to subdomains.
If a **subdomain** `sub.example.com` **sets a cookie** with _domain_ attribute of **`.example.com`**, it will be **sent** on requests to the **parent domain.**
### **Path**
The `Path` attribute indicates a **URL path that must exist in the requested URL to send the `Cookie` header**. The `%x2F` ("/") character is considered a directory separator, and subdirectories match as well.
#### Order
When 2 cookies have the **same name** the one that is sent is:
* The one with the **longest path** matching the URL path
* The **newest** one if both have the same path
### SameSite
This will indicate to the browser if the **cookie** can be sent **from other domains**. It has 3 possible values:
* **Strict**: The cookie will not be sent along with a request by third party websites.
* **Lax**: The cookie will be sent along with the GET request initiated by third party websites.
* **None**: The cookie is sent from any third party domain
| **Request Type** | **Example Code** | **Cookies Sent When** |
| ---------------- | ---------------------------------- | --------------------- |
| Link | \\ | NotSet\*, Lax, None |
| Prerender | \ | NotSet\*, Lax, None |
| Form GET | \