What is document.cookie?

I’ve used cookies as a web developer for many years, but never understood them in detail. In this post, I look at the document.cookie API.

Cookies are client-side storage. Cookies were the first client-side storage available in the browser. They have three main use-cases: sessions, preferences, and tracking. Nowadays, there are three more client-side storage APIs: localStorage, sessionStorage, and indexedDB, Arguably, cookies are obsoleted by these newer APIs, but you still need to know about cookies, because they won’t go away any time soon!

You can view cookies for this website, jameshfisher.com, in Google Chrome by opening: Developer tools > Application > Storage > Cookies > https://jameshfisher.com. There, you’ll see two or three cookies.

Cookies have a bunch of standard attributes. A fundamental one is the name. You’ll see cookies on this page called _ga and _gid. These cookies were set by Google Analytics, which I use to track visitors to this website. Many sites use Google Analytics, and if you view the cookies on those sites, you’ll also see _ga and _gid: they are standard names used by Google.

Alternatively, you can view the cookies from the JavaScript console, using document.cookie:

> document.cookie
"_ga=GA1.2.12345.67890; _gid=GA1.2.111111.222222"

Rather oddly, the cookies come back as a string! The form is roughly as follows. We’ll revisit this when we look at how cookies are transferred over HTTP.

cookieString ::= cookie [ "; " cookieString ]
cookie ::= name "=" value

You can set some cookies yourself! From the console, assign a new cookie to document.cookie which sets the cookie bgcolor to the value mintcream:

> document.cookie = "bgcolor=mintcream";
> document.cookie
"_ga=GA1.2.12345.67890; _gid=GA1.2.111111.222222; bgcolor=mintcream"

Yes, this API is pretty weird! Formatted strings as arguments, formatted strings as return values, and a horrible abuse of assignment. The reasons are lost to the dark ages of the browser. Google seem to be designing a better replacement API, but it’s early days, so we’re stuck with document.cookie.

Assigning to cookies is not much use unless we can access them. Let’s say we want to use the value of bgcolor to style the page. To do so, we have to parse out the cookie and extract the value, like so:

> document.body.style.backgroundColor = document.cookie.split(';').filter(c => c.startsWith(' bgcolor='))[0].split('=')[1]

If you think this API is bad so far, just wait: it only gets worse from here!

Your browser stores lots of cookies. but in each tab, only some of those cookies are used. On this page, only two or three cookies are used. Two cookie attributes determine whether the cookie is used: the cookie’s domain and the cookie’s path. Together, the domain and path are called the cookie’s “scope”.

For the Google Analytics cookies, the domain value is .jameshfisher.com, and the path value is /. The cookie’s domain and path are matched against the full URL of this page, which is https://jameshfisher.com/2018/12/22/what-is-document-cookie. The cookie’s domain .jameshfisher.com matches the URL’s domain jameshfisher.com, and the cookie’s path / matches the URL’s path /2018/12/22/what-is-document-cookie, so the cookie is used on this page.

The cookie’s domain .jameshfisher.com is really a domain suffix: it matches the domain jameshfisher.com, or any subdomains such as www.jameshfisher.com or a.b.c.jameshfisher.com. And the cookie’s path / is really a path prefix: it matches all paths!

Notice, though, that the bgcolor cookie we set earlier with JavaScript does not have the domain .jameshfisher.com; it has the domain jameshfisher.com, without a leading dot. This only matches the domain jameshfisher.com - no subdomains! So a cookie domain beginning with . is a domain suffix; otherwise, it’s a fully qualified domain.

The cookie bgcolor got the domain jameshfisher.com because the default cookie domain is the domain of the current page. To make bgcolor available to subdomains, you can set the domain explicitly to .jameshfisher.com by appending ;domain=.jameshfisher.com to the assignment:

> document.cookie = "bgcolor=mintcream;domain=.jameshfisher.com";
> document.cookie
"_ga=GA1.2.12345.67890; _gid=GA1.2.111111.222222; bgcolor=mintcream; bgcolor=mintcream"

But what’s this? We now have two cookies called bgcolor! By checking the cookies listed in developer tools, you can see the two cookies: one for jameshfisher.com, and another for .jameshfisher.com. If you consider the browser’s cookies as a big relational table, the unique key is (domain, path, name). We have two cookies: first, (jameshfisher.com, /2018/12/22, bgcolor), and second, (jameshfisher.com, /2018/12/22, bgcolor).

It was not obvious from the value of document.cookie that those two cookies had different domains. Those cookie attributes are omitted entirely in document.cookie. In fact, from JavaScript, you only have access to the name and value of the cookie, and no access to any other attributes such as the domain or path!

Let’s say we wanted the cookie to be exposed to subdomains, so we want to delete the cookie for jameshfisher.com. But there is no explicit API for cookie deletion! Instead, we have to use another cookie attribute: expires. All cookies have an expiry time, and we delete a cookie by setting its expiry time to the past! We can do this by appending ;expires=Thu, 01 Jan 1970 00:00:01 GMT to the cookie. Let’s do that for the cookie for jameshfisher.com:

> document.cookie = "bgcolor=mintcream;domain=jameshfisher.com;expires=Thu, 01 Jan 1970 00:00:01 GMT";
> document.cookie
"_ga=GA1.2.12345.67890; _gid=GA1.2.111111.222222; bgcolor=mintcream"

Back to one bgcolor cookie: all looks good! But wait ... if you check the developer tools, you’ll see that we deleted the wrong cookie! We asked to delete the cookie for jameshfisher.com, but instead the cookie for .jameshfisher.com is gone! What happened?!

It turns out, if you explicitly specify the domain when setting a cookie, this always means a domain suffix. So even if you specify ;domain=jameshfisher.com, this gets interpreted as ;domain=.jameshfisher.com! (I told you this API was bad.) The only way to delete the cookie for jameshfisher.com is by omitting the domain attribute entirely, allowing it to fall back to the default domain taken from the current page:

> document.cookie = "bgcolor=mintcream;expires=Thu, 01 Jan 1970 00:00:01 GMT";
> document.cookie
"_ga=GA1.2.12345.67890; _gid=GA1.2.111111.222222"

For both of our cookies, the path was /2018/12/22: you can check this in developer tools. But where did this path come from? Because we didn’t set the cookie’s path explicitly, it defaulted to the directory of the current page. The full URL of this page is https://jameshfisher.com/2018/12/22/what-is-document-cookie. The full path is /2018/12/22/what-is-document-cookie. The directory of this path is /2018/12/22. So this cookie matches the current page, plus anything else I published on 2018-12-22 (of which there is nothing).

Tagged #programming, #web.
👋 I'm Jim, a full-stack product engineer. Want to build an amazing product and a profitable business? Read more about me or Get in touch!

Similar posts

How can I capture all crashes in a web page?
Including uncaught errors, unhandled promise rejections, image load failures, Content Security Policy violations, and console.error calls. 2024-03-14
How do errors in a web page reach the dev console?
Errors in JavaScript cause an ErrorEvent on window. Preventing the default action blocks console output. Resource errors follow the capture-bubble event model. 2024-03-13
A formula for responsive font-size
Try setting the root font-size to calc(1rem + 0.25vw) instead of using media queries with fixed breakpoints. 2024-03-12
Setting font-size based on viewing distance
Estimating viewing distance from screen size to set optimal font-size, but other factors like user mobility, long-sightedness, and short-sightedness complicate the ideal font-size calculation. 2024-03-11
How does HotJar record your screen?
“Session replay” tools record user interactions by capturing DOM changes, external resources, and viewport state, using efficient techniques like the MutationObserver API. 2024-03-09
How to replace GIF with HTML video in 2021
To replace a GIF with an HTML <video> element in 2021, use a long list of attributes disable unwanted browser behaviors. 2021-01-19

Similar posts

How can I capture all crashes in a web page?
Including uncaught errors, unhandled promise rejections, image load failures, Content Security Policy violations, and console.error calls. 2024-03-14
How do errors in a web page reach the dev console?
Errors in JavaScript cause an ErrorEvent on window. Preventing the default action blocks console output. Resource errors follow the capture-bubble event model. 2024-03-13
A formula for responsive font-size
Try setting the root font-size to calc(1rem + 0.25vw) instead of using media queries with fixed breakpoints. 2024-03-12
Setting font-size based on viewing distance
Estimating viewing distance from screen size to set optimal font-size, but other factors like user mobility, long-sightedness, and short-sightedness complicate the ideal font-size calculation. 2024-03-11
How does HotJar record your screen?
“Session replay” tools record user interactions by capturing DOM changes, external resources, and viewport state, using efficient techniques like the MutationObserver API. 2024-03-09
How to replace GIF with HTML video in 2021
To replace a GIF with an HTML <video> element in 2021, use a long list of attributes disable unwanted browser behaviors. 2021-01-19

More by Jim

What does the dot do in JavaScript?
foo.bar, foo.bar(), or foo.bar = baz - what do they mean? A deep dive into prototypical inheritance and getters/setters. 2020-11-01
Smear phishing: a new Android vulnerability
Trick Android to display an SMS as coming from any contact. Convincing phishing vuln, but still unpatched. 2020-08-06
A probabilistic pub quiz for nerds
A “true or false” quiz where you respond with your confidence level, and the optimal strategy is to report your true belief. 2020-04-26
Time is running out to catch COVID-19
Simulation shows it’s rational to deliberately infect yourself with COVID-19 early on to get treatment, but after healthcare capacity is exceeded, it’s better to avoid infection. Includes interactive parameters and visualizations. 2020-03-14
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the “scroll jail” that traps the user in a fake browser. 2019-04-27
The hacker hype cycle
I got started with simple web development, but because enamored with increasingly esoteric programming concepts, leading to a “trough of hipster technologies” before returning to more productive work. 2019-03-23
Project C-43: the lost origins of asymmetric crypto
Bob invents asymmetric cryptography by playing loud white noise to obscure Alice’s message, which he can cancel out but an eavesdropper cannot. This idea, published in 1944 by Walter Koenig Jr., is the forgotten origin of asymmetric crypto. 2019-02-16
How Hacker News stays interesting
Hacker News buried my post on conspiracy theories in my family due to overheated discussion, not censorship. Moderation keeps the site focused on interesting technical content. 2019-01-26
My parents are Flat-Earthers
For decades, my parents have been working up to Flat-Earther beliefs. From Egyptology to Jehovah’s Witnesses to theories that human built the Moon billions of years in the future. Surprisingly, it doesn’t affect their successful lives very much. For me, it’s a fun family pastime. 2019-01-20
The dots do matter: how to scam a Gmail user
Gmail’s “dots don’t matter” feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails. 2018-04-07
The sorry state of OpenSSL usability
OpenSSL’s inadequate documentation, confusing key formats, and deprecated interfaces make it difficult to use, despite its importance. 2017-12-02
I hate telephones
I hate telephones. Some rational reasons: lack of authentication, no spam filtering, forced synchronous communication. But also just a visceral fear. 2017-11-08
The Three Ts of Time, Thought and Typing: measuring cost on the web
Businesses often tout “free” services, but the real costs come in terms of time, thought, and typing required from users. Reducing these “Three Ts” is key to improving sign-up flows and increasing conversions. 2017-10-26
Granddad died today
Granddad died. The unspoken practice of death-by-dehydration in the NHS. The Liverpool Care Pathway. Assisted dying in the UK. The importance of planning in end-of-life care. 2017-05-19
How do I call a program in C, setting up standard pipes?
A C function to create a new process, set up its standard input/output/error pipes, and return a struct containing the process ID and pipe file descriptors. 2017-02-17
Your syntax highlighter is wrong
Syntax highlighters make value judgments about code. Most highlighters judge that comments are cruft, and try to hide them. Most diff viewers judge that code deletions are bad. 2014-05-11

This page copyright James Fisher 2018. Content is not associated with my employer. Found an error? Edit this page.

Jim Fisher
CV
Speaking
Blogroll
RSS
TigYog
Kickabout