HTTP::SET_COOOKIE 1g 2024-03-17 laplante@plcb.ca GOWEB/HTTP

author: laplante@plcb.ca date: 2024-03-17 title: “HTTP::SET_COOKIE Function” version: 1.0.0 section: 1g category: GOWEB/HTTP

Name

http::set_cookie — Set or delete cookies http::setCookie — Set or delete cookies

Synopsis

http::set_cookie(name: string [, value: string, path: string, max_age: int, http_only: bool, secure: bool, same_site: int])

Description

The http::set_cookie function sends a cookie to the client’s browser. It allows fine-grained control over cookie attributes such as expiration time, security flags, and SameSite policies.

To delete a cookie, set its value to an empty string and max_age to -1:

set_cookie(name: "session", value: "", max_age: -1);

Parameters

• name: The name of the cookie.
• value: The value assigned to the cookie.
• path: Path scope for the cookie. Defaults to /.
• max_age: Lifetime of the cookie in seconds. Defaults to 3600.
• http_only: If set to true (default), the cookie cannot be accessed via client-side scripts.
• secure: If set to true (default), the cookie is only transmitted over HTTPS.
• same_site: Defines cross-site transmission behavior. Defaults to http::SameSiteStrictMode.
  • http::SameSiteLaxMode
  • http::SameSiteStrictMode
  • http::SameSiteNoneMode

Notes on SameSite

From OWASP:

• Strict: Prevents the cookie from being sent in all cross-site contexts, even when following a link. Suitable for highly sensitive sites (e.g., banking).
• Lax: Balances usability and security. Cookies are included when navigating via links but excluded in CSRF-prone methods (e.g., POST).
• None: Disables SameSite protections, sending cookies in all contexts. Not recommended unless necessary.

Examples

// Set a cookie with relaxed SameSite policy
set_cookie(name: "cd", value: data.set, same_site: http::SameSiteNoneMode);

See also

• HTTP functions
• Main

Version

• 1.0.0 — 2024-03-17, initial version by laplante@plcb.ca