A cookie starts with a name/value pair:<cookie-name>Can be any US-ASCII character except control characters (CTLs), spaces, or tabs. The following delimiting characters cannot be included: ( ) < > @ , ; : \ " / [ ] ? = { }.<cookie-value>is optional, if present, then it needs to be included in double quotes. Supports any US-ASCII characters except control characters, whitespace, double quotes, comma, semicolon, and backslash. About encoding: Many applications encode cookie values according to URL encoding rules, but according to RFC specifications, this is not necessary. However, it is useful to meet the requirements of the specification for the allowed characters.__Secure- Prefix: A cookie prefixed with __Secure- (where the connector is part of the prefix), must be set with the secure property and must be applied to secure pages (i.e. pages accessed using HTTPS).__Host- Prefix: A cookie prefixed with __Host- must be set with the secure attribute and must be applied to a secure page (that is, a page accessed using HTTPS), the domain attribute must not be set (that is, it will not be sent to the subdomain), and the value of the path attribute must be "/".
Expires=<date>
The maximum validity time of a cookie is in the form of a timestamp that complies with the HTTP-date specification. Refer to Date to get detailed information. If this property is not set, it means that this is a session cookie. A session ends when the client is closed, which means that the session cookie will be removed at that time. However, many web browsers support session recovery, which allows the browser to retain all tab tags and then restore them when the browser is reopened. At the same time, cookies will also be restored, just like never closing the browser.
Max-Age=<non-zero-digit>
The number of seconds that need to pass before the cookie expires. A number of seconds of 0 or -1 will cause the cookie to expire directly. Some old browsers (ie6, ie7, and ie8) do not support this property. For other browsers, if both (referring to Expires and Max-Age) exist, then Max-Age has higher priority.
Domain=<domain-value>
Specifies the hostname to which the cookie can deliver. If not specified, the default value is the host part of the current document access address (but does not contain the subdomain). Unlike the previous specification, the dot number before the domain name will be ignored. If a domain name is specified, it is equivalent to the subdomain names also included.
Path=<path-value>
Specify a URL path that must appear in the path of the resource to be requested before the cookie header can be sent. The character %x2F ("/") can be interpreted as a file directory delimiter, and the subordinate directories of this directory also satisfy matching conditions (for example, if path=/docs, then "/docs", "/docs/Web/" or "/docs/Web/HTTP" all satisfy matching conditions).
Secure
A cookie with security attributes is sent to the server only when requesting SSL and HTTPS protocols. However, confidential or sensitive information should never be stored or transmitted in HTTP cookies, because the entire mechanism is inherently unsafe, such as the aforementioned protocol does not mean that all information is encrypted.
Note: Non-secure sites (http:) can no longer set the secure command in cookies (inChrome52+ and newly introduced restrictions in Firefox 52+).
HttpOnlyOptional
The cookie with the HttpOnly attribute is not availableJavaScriptAccessed via properties, XMLHttpRequest, and Request APIs to protect against cross-site scripting attacks (XSS (en-US)).
SameSite=Strict / LaxOptional
Allow the server to set a cookie not to be sent along with cross-domain requests, which can prevent cross-site request forgery attacks (CSRF) to a certain extent.