Web Cookies Best Practices

Effective Date/Issuing Authority

Effective Date: November 27, 2024
Issuing Authority: Office of Information Technology Services

Purpose

This document provides guidelines for using the Domain and Path attributes when setting web cookies to ensure secure and efficient cookie management. Correct use of these attributes prevents potential security breaches and performance degradation by restricting the scope of cookies to appropriate domains and paths within our organization’s web ecosystem.

Domain Attribute

The Domain attribute controls which domains can access the cookie. By default, this attribute is not set, limiting the cookie to the domain that created it.

Best Practice

  • Don’t set the Domain attribute at all.
  • If you chose to set it, set the Domain to the current host (e.g., subdomain.temple.edu).
  • Avoid setting it to a higher-level domain like temple.edu.
    • Doing so would expose the cookie to all subdomains of temple.edu, meaning it would be included in every request to any page, file, or asset across those subdomains. This can lead to unnecessary data leakage and increased load on resources across multiple domains, risking performance issues and potential security breaches.

Path Attribute

The Path attribute defines the URL path for which the cookie is valid. It helps limit which parts of the site can access the cookie.

Best Practice

  • Use the Path attribute to restrict the cookie to the specific section of the site that requires it, rather than making it available site wide.
  • Example: Setting Path=/restricted-section/ ensures that the cookie is only sent when the user accesses this path.

Additional Reference

The following are references to specific cookie attribute settings from the MDN Web Docs (Mozilla Developers Network) and from Google:

Key Takeaways

  • Avoid broad Domain settings like temple.edu.
  • Limit the cookie's availability to necessary parts of the site using the Path attribute.

Proper use of these attributes minimizes exposure of cookie data, reduces risk, and ensures better performance across all Temple’s websites.

Print Article