Cookies in Web Applications

Cookies are small pieces of data that a server sends to a user's browser. They are stored on the user's device and sent back to the server with subsequent requests. Cookies are primarily used to maintain stateful information between HTTP requests, which are otherwise stateless by nature.

Key Concepts of Cookies:

What is a Cookie?

• A cookie is a key-value pair that stores small amounts of data.
• Browsers store cookies locally on the client-side and send them with each subsequent HTTP request to the server.
• Cookies can store a variety of data such as user preferences, session identifiers, authentication tokens, etc.

Structure of a Cookie:

A cookie consists of the following components:

• Name: The name of the cookie (key).
• Value: The data stored in the cookie (value).
• Domain: Specifies which domain the cookie belongs to.
• Path: Defines the specific URL or path the cookie is associated with.
• Expiration Date: Determines how long the cookie remains valid (cookies expire after a certain period unless renewed).
• Secure: A flag indicating whether the cookie should only be transmitted over secure HTTPS connections.
• HttpOnly: A flag indicating whether the cookie can only be accessed via HTTP(S) and not by JavaScript (for security reasons).

Types of Cookies:

Client-Side Cookies:

• Created and managed by JavaScript: Cookies are set, read, and modified directly by the client using JavaScript.
• Accessible via JavaScript: Unless marked with the HttpOnly flag, client-side cookies can be accessed and modified by JavaScript running on the webpage.

Example (Setting a cookie with JavaScript):

document.cookie = "username=Ash; expires=Thu, 18 Dec 2024 12:00:00 UTC; path=/";

Server-Side Cookies:

• Created and managed by the server: The server sends cookies to the client using the Set-Cookie HTTP header, and these cookies are automatically stored by the browser.
• Not accessible by JavaScript if HttpOnly is set: For security reasons, cookies with the HttpOnly attribute cannot be accessed or modified by client-side scripts.

Example (Setting a cookie in an HTTP response):

Set-Cookie: session_id=abc123; HttpOnly; Secure; Path=/; Expires=Wed, 13 Oct 2024 07:28:00 GMT

Difference Between Client-Side and Server-Side Cookies

Type	Who Sets It?	Who Can Access It?	Example Use Case	Security Considerations
Client-Side	Client (Browser)	Client (JavaScript), unless HttpOnly	Storing user preferences	Vulnerable to XSS unless HttpOnly
Server-Side	Server	Server (via HTTP headers), sometimes Client	Session management, authentication	Use HttpOnly, Secure flags for security

Common Use Cases of Cookies:

• Session Management: Track user sessions on websites. The server generates a session ID and stores it in a cookie. The browser sends this session ID with each request, enabling the server to recognize the user and maintain their session.

• Personalization: Remember user preferences, such as language settings or themes (dark mode/light mode).

• Tracking and Analytics: Track user activity across pages or different websites for analytics or advertising purposes.

Example: Server-Side Cookie Flow

1. User logs into a website.
2. The server authenticates the user and generates a session ID cookie.
3. The server sends the session ID cookie to the client using the Set-Cookie header in the response.
4. The browser stores this cookie.
5. For each subsequent request, the browser automatically sends the session ID cookie to the server.
6. The server identifies the user based on the session ID and maintains the user's login state.

Security Concerns:

• Cookie Hijacking: If cookies are sent over unencrypted HTTP connections, attackers can intercept and steal them. Using the Secure attribute ensures cookies are only sent over HTTPS.
• Cross-Site Scripting (XSS): Malicious scripts can access cookies unless they are marked HttpOnly. Always use the HttpOnly flag for sensitive data like session tokens.
• Cross-Site Request Forgery (CSRF): Cookies are automatically sent with every HTTP request, which can be exploited by attackers to perform actions on behalf of users without their consent. CSRF tokens help mitigate this risk.

Summary:

Type	Who Sets It?	Who Can Access It?	Example Use Case	Security Considerations
Client-Side	Client (Browser)	Client (JavaScript), unless HttpOnly	Storing user preferences	Vulnerable to XSS unless HttpOnly
Server-Side	Server	Server (via HTTP headers), sometimes Client	Session management, authentication	Use HttpOnly, Secure flags for security

Cookies in JavaScript and FastAPI

Cookies in JavaScript

Cookies are a key way to store data client-side in web browsers. In JavaScript, you can set, retrieve, and delete cookies to manage information like session identifiers or user preferences.

Setting Cookies with JavaScript

Cookies are set using the document.cookie API. You can specify a key-value pair along with several attributes such as expires, path, domain, etc.

Example: Setting a Cookie in JavaScript

// Set a cookie that expires in one day
const date = new Date();
date.setTime(date.getTime() + (24 * 60 * 60 * 1000)); // 1 day in milliseconds
const expires = "expires=" + date.toUTCString();
document.cookie = "username=Ash; " + expires + "; path=/";

• This cookie is named username and holds the value "Ash".
• It will expire in 1 day.
• The path=/ makes the cookie accessible across the entire site.

Reading Cookies in JavaScript

You can read cookies using document.cookie, which returns all cookies as a single string. You can split this string into individual cookies and access the values.

Example: Reading a Cookie

function getCookie(name) {
    let decodedCookie = decodeURIComponent(document.cookie);
    let cookiesArray = decodedCookie.split(';');
    for (let cookie of cookiesArray) {
        while (cookie.charAt(0) === ' ') {
            cookie = cookie.substring(1);
        }
        if (cookie.indexOf(name + "=") === 0) {
            return cookie.substring(name.length + 1, cookie.length);
        }
    }
    return "";
}

// Retrieve the 'username' cookie
let username = getCookie("username");
console.log(username); // Outputs: Ash

Deleting Cookies in JavaScript

To delete a cookie, set its expires attribute to a past date:

document.cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;";

---

Cookies in FastAPI

FastAPI makes working with cookies on the server-side straightforward. You can set cookies in responses, read them from requests, and configure security settings such as HttpOnly, Secure, and SameSite.

Setting Cookies in FastAPI

You can use the set_cookie() method in a FastAPI route to add a cookie to the response.

Example: Setting a Cookie in FastAPI

from fastapi import FastAPI, Response

app = FastAPI()

@app.get("/set-cookie/")
def set_cookie(response: Response):
    response.set_cookie(
        key="session_id",
        value="abc123",
        httponly=True,  # HttpOnly cookies are inaccessible to JavaScript
        secure=True,    # Secure cookies are only sent over HTTPS
        samesite="lax", # Helps prevent cross-site request forgery (CSRF)
        max_age=3600,   # Expires in 1 hour
    )
    return {"message": "Cookie set successfully"}

• HttpOnly: Prevents the cookie from being accessed by JavaScript.
• Secure: Ensures the cookie is only sent over HTTPS.
• SameSite=Lax: Mitigates CSRF attacks.
• Max-Age: Defines the cookie's lifetime (1 hour in this case).

Reading Cookies in FastAPI

You can retrieve cookies using the Cookie dependency in FastAPI.

Example: Reading a Cookie in FastAPI

from fastapi import FastAPI, Cookie

app = FastAPI()

@app.get("/read-cookie/")
def read_cookie(session_id: str = Cookie(None)):
    if session_id:
        return {"session_id": session_id}
    return {"error": "No session_id cookie found"}

Deleting Cookies in FastAPI

You can delete cookies by setting their expiration to a past date using the delete_cookie() method:

@app.get("/delete-cookie/")
def delete_cookie(response: Response):
    response.delete_cookie(key="session_id")
    return {"message": "Cookie deleted"}

Full Cookie Configuration in FastAPI

FastAPI provides several options for customizing cookies, including:

• httponly: Inaccessible via JavaScript.
• secure: Only sent over HTTPS.
• samesite: Controls cross-site behavior (lax, strict, or none).
• max_age: Defines the lifetime in seconds.
• path: Specifies the URL path for which the cookie is valid.
• domain: Specifies the domain that the cookie belongs to.

Example: Custom Cookie Settings

@app.get("/set-custom-cookie/")
def set_custom_cookie(response: Response):
    response.set_cookie(
        key="custom_cookie",
        value="custom_value",
        httponly=True,
        secure=True,
        samesite="strict",  # Strict SameSite policy
        path="/custom-path",  # Available only on /custom-path
        domain="example.com",  # Available to the domain example.com
        max_age=7200,  # Expires in 2 hours
    )
    return {"message": "Custom cookie set with specific attributes"}

• SameSite can be set to "strict", "lax", or "none".
• Path and Domain allow control over the scope of where the cookie is valid.

---

LocalStorage vs Cookies

When working with web applications, both LocalStorage and Cookies are used to store data on the client-side. However, they have significant differences in terms of capacity, accessibility, security, and use cases.

1. Storage Capacity

• LocalStorage: Can store up to 5-10MB of data, depending on the browser.
• Cookies: Can store up to 4KB of data.

Summary: LocalStorage offers much larger storage capacity compared to cookies.

2. Expiration

• LocalStorage: Data is stored indefinitely until manually cleared by the user or the application.
• Cookies: Cookies can have an expiration date or can be session-based, expiring when the browser is closed.

Summary: LocalStorage persists indefinitely, while cookies can expire based on server-side settings.

3. Accessibility

• LocalStorage: Accessible only by JavaScript and is not sent to the server automatically.
• Cookies: Can be accessed by both JavaScript (unless HttpOnly is set) and the server. Cookies are automatically sent with every HTTP request.

Summary: LocalStorage is only client-side, while cookies can be sent to the server automatically.

4. Security

• LocalStorage: Vulnerable to cross-site scripting (XSS) attacks as it is fully accessible via JavaScript.
• Cookies: Cookies can be secured using the HttpOnly flag (making them inaccessible to JavaScript) and Secure flag (ensuring they are only transmitted over HTTPS).

Summary: Cookies offer better security features for sensitive data.

5. Automatic Server Transmission

• LocalStorage: Data is not sent automatically with every HTTP request; you must manually send it if needed.
• Cookies: Cookies are automatically sent with every HTTP request to the domain they belong to.

Summary: Cookies are useful when you need to send data to the server automatically, like session management.

6. Use Cases

• LocalStorage: Suitable for storing non-sensitive, client-side data such as user preferences or cache.
  • Example: Storing a user’s theme preference (dark mode vs. light mode).
• Cookies: Best for storing small amounts of data that need to be sent to the server automatically, such as session tokens or authentication tokens.
  • Example: Storing session tokens to maintain user login state.

7. Read/Write Operations

• LocalStorage: Reads and writes are fast as they don’t involve any network requests.
• Cookies: Can slow down network requests because cookies are sent with each HTTP request.

Summary: LocalStorage is more efficient for frequent read/write operations.

8. Data Storage Scope

• LocalStorage: Data is available domain-wide and not shared between subdomains or domains.
• Cookies: Cookies can be restricted to specific paths or domains, allowing finer control.

Summary: Cookies offer more control over where they are valid, while LocalStorage is available across the entire domain.

Comparison Table

Feature	LocalStorage	Cookies
Capacity	5-10MB	4KB
Expiration	Persistent until manually cleared	Can expire based on max-age or expires
Accessibility	Client-side (JavaScript only)	Accessible to both client-side and server-side
Security	Vulnerable to XSS	Can be secured with HttpOnly and Secure flags
Automatic Server Transmission	Not automatically sent to server	Automatically sent with every HTTP request
Use Cases	Storing non-sensitive, client-side data	Storing session data, authentication tokens
Data Scope	Domain-wide	Can be restricted to specific paths/domains

Conclusion

• LocalStorage: Best for storing larger amounts of non-sensitive data that doesn’t need to be sent to the server automatically.
• Cookies: Best for small pieces of data that need to be sent with every HTTP request, such as session tokens or authentication data, and offer better security options.