Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Well done!
You have completed Using Cookies and JWTs for Secure Authentication!
Preview
Video Player
00:00
00:00
00:00
- 2x 2x
- 1.75x 1.75x
- 1.5x 1.5x
- 1.25x 1.25x
- 1.1x 1.1x
- 1x 1x
- 0.75x 0.75x
- 0.5x 0.5x
We've set and retrieved a basic cookie, but we haven't removed our cookie yet. We also haven't used any of the additional settings that limit access to our cookies. Let's take a look at the settings we'll be working with.
Cookie Settings
| Name | Value |
|---|---|
| Expiration Date | default 0 |
| The Expiration Date tells the browser how long to store the cookie. This is a full date and time in UTC. When it is past the expiration date the cookie is removed. This is used both to delete a cookie, such as when a user logs out, and also to keep a cookie active after the browser has been closed | using the browser setting for cookie expiration, which typically means the cookie is removed when the browser is closed. |
| Path | default '/' |
| The Path restricts when a cookie is sent to the server. For example, if we wanted to store information that is only used in an admin section, we could set the path to '/admin' | The default is the root of the domain, which allows the cookie to be access for the entire site. |
| Domain | default full host |
| Including any subdomain. This will make the cookie available only to that single subdomain. If a root level domain is specified, all subdomains will also be able to access the cookie. | |
| Secure | default false |
| Adding the Secure parameter makes sure the cookie can only be transmitted securely over HTTPS, and it will not be sent over unencrypted HTTP connections | By default, this parameter is not sent |
| HttpOnly | default true |
| The HttpOnly parameter makes cookies inaccessible via the document.cookie API, so they are only editable by the server | By default, the HTTP foundations plugin we're using, does send this parameter |
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
We've set and retrieved a basic cookie,
but we haven't removed our cookie yet.
0:00
We also haven't used any of the additional
settings that limit access to our cookies.
0:06
Let's take a look at the settings
that we'll be working with.
0:11
The expiration date tells the browser
how long to store the cookie.
0:14
This is a full date and time in UTC.
0:19
When it is past the expiration date,
the cookie is removed.
0:22
This is used to both to delete a cookie,
such as when a user logs out, and
0:26
also to keep a cookie active after
the browser has been closed.
0:30
The default is 0, using the browser
setting for cookie expiration,
0:35
which typically means that the cookie
is removed when the browser is closed.
0:39
The path restricts when
a cookie is sent to the server.
0:44
For example, if we wanted to store
information that is only used
0:49
in an admin section,
we could set the path to /admin.
0:53
The default is the root of the domain,
which allows the cookie to be accessed for
0:58
the entire site.
1:02
The default for the domain is the full
host, including any subdomain.
1:04
This will make the cookie available
only to that single subdomain.
1:10
If a root level domain is specified,
1:14
all subdomains will also be
able to access that cookie.
1:17
The last two settings we're going
to be using are single parameters,
1:22
not a key value pair.
1:26
They're either sent to the cookie or not.
1:28
Adding the secure parameter makes
sure the cookie can only be
1:31
transmitted securely over HTTPS, and
1:36
it will not be sent over
unencrypted HTTP connections.
1:39
By default, this parameter is not sent.
1:44
The HttpOnly parameter makes
cookies inaccessible via
1:48
the document.cookie API, so
they are only editable by the server.
1:53
By default, the HTTP foundations plug-in
that we're using does send this parameter.
1:59
Let's jump back into our project and
start using these new settings.
2:07
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up