What are The Different Types of Web Cookies?

Best practices

Always use secure attributes for cookies that contain sensitive information to ensure they are only sent over HTTPS.
Set HttpOnly attribute for cookies to prevent access via JavaScript, enhancing security against cross-site scripting (XSS) attacks.
Utilize session cookies for data that should only persist during an active session to minimize data exposure risks.
Implement expiration dates for persistent cookies to manage how long data is stored on the user's device, aiding in privacy control.

import requests

# Send a GET request to the website
response = requests.get('https://sandbox.oxylabs.io/products')

# Extract cookies from the response
cookies = response.cookies

# Print all cookies
print("All Cookies:", cookies)

# Access specific types of cookies
session_cookies = [cookie for cookie in cookies if cookie.expires is None]
persistent_cookies = [cookie for cookie in cookies if cookie.expires is not None]

# Print session cookies (expire with the session)
print("Session Cookies:", session_cookies)

# Print persistent cookies (have an expiration date)
print("Persistent Cookies:", persistent_cookies)

# Check for Secure cookies (transmitted over HTTPS)
secure_cookies = [cookie for cookie in cookies if cookie.secure]

# Print secure cookies
print("Secure Cookies:", secure_cookies)

# Check for HttpOnly cookies (not accessible via JavaScript)
httponly_cookies = [cookie for cookie in cookies if cookie.has_nonstandard_attr('HttpOnly')]

# Print HttpOnly cookies
print("HttpOnly Cookies:", httponly_cookies)

Common issues

Ensure that the domain and path attributes of cookies are correctly set to restrict their scope and prevent them from being sent to unintended locations.
Regularly update and validate the expiration settings of persistent cookies to reflect changes in privacy policy and user preferences.
Use the Secure flag in conjunction with the HttpOnly flag for comprehensive security that guards against both interception and client-side scripting attacks.
Review and clean up session and persistent cookies periodically to avoid unnecessary data retention and potential compliance issues.

# Bad: Not specifying domain and path for cookies, which might lead to security issues
response.set_cookie('user_id', '12345')

# Good: Specify domain and path to restrict cookie scope
response.set_cookie('user_id', '12345', domain='example.com', path='/secure')

# Bad: Using outdated expiration for cookies
response.set_cookie('user_session', 'abcd', expires='Thu, 01 Jan 1970 00:00:00 GMT')

# Good: Set appropriate expiration date reflecting current policies
from datetime import datetime, timedelta
expiration_date = datetime.now() + timedelta(days=90)
response.set_cookie('user_session', 'abcd', expires=expiration_date.strftime('%a, %d-%b-%Y %H:%M:%S GMT'))

# Bad: Setting cookies without Secure or HttpOnly flags
response.set_cookie('auth_token', 'secure123')

# Good: Use Secure and HttpOnly flags to enhance cookie security
response.set_cookie('auth_token', 'secure123', secure=True, httponly=True)

# Bad: Keeping session cookies indefinitely without review
session_cookies = [cookie for cookie in cookies if cookie.expires is None]

# Good: Periodically review and clean up session cookies
# Implement a routine to check and delete unnecessary session cookies
for cookie in session_cookies:
if not necessary(cookie):
delete_cookie(cookie)