Set-Cookie
Response header Cookies

Overview

Set-Cookie is a response header that instructs the client to store a cookie. The browser saves it and sends it back on subsequent requests to the same site via the Cookie header, enabling session management, keeping auth state, and personalization.

To set multiple cookies, include the Set-Cookie header multiple times, one per line per cookie. Never pack several cookies into a single header separated by commas.

Details

A cookie is a name=value pair followed by semicolon-separated attributes. Without Expires or Max-Age it becomes a session cookie that vanishes when the browser closes; with either it becomes a persistent cookie stored on disk. When both are present, Max-Age wins.

To delete a cookie you must resend it with the same name, Path, and Domain plus Max-Age=0 (or a past Expires). If the Path or Domain differs from when it was set, the original is not cleared and a ghost cookie lingers.

The default SameSite is Lax in modern browsers. Lax sends the cookie on top-level navigations (link clicks) but not on iframes, images, or cross-site POSTs, which blocks much of CSRF. If you need the cookie in a third-party context (embedded on another site), you must set SameSite=None; Secure.

Syntax

Set-Cookie: <name>=<value>[; <attr>]*

e.g. Set-Cookie: sid=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600

Directives / values

Expires=<date>Cookie expiry as an HTTP-date. Makes the cookie persistent.
Max-Age=<seconds>Relative expiry in seconds. Takes precedence over Expires; 0 or negative deletes it now.
Domain=<domain>Domain scope the cookie is sent to. If omitted it is host-only (no subdomains).
Path=<path>Path prefix the cookie is sent for. Defaults based on the request path.
SecureOnly sends the cookie over HTTPS connections.
HttpOnlyBlocks JS (document.cookie) access, mitigating cookie theft via XSS.
SameSite=Lax|Strict|NoneCross-site sending policy. None must be paired with Secure.
PartitionedCHIPS: uses a per-top-level-site partitioned cookie jar.

Notes

Related headers

Related status codes

Specification