A cookie is sent from the server to the browser as part of the HTTP headers.
Here's an example of an HTTP header to create a cookie:
Set-Cookie: fontSize=3; expires=Tuesday, 6-Jan-2009 17:53:08 GMT; path=/;domain=.example.com; HttpOnly
A cookie contains a number of pieces of information, summarized in the following table:
| Cookie Field | Description |
|---|---|
| name | The name of the cookie. This is much like the name of a form field, or a key in an associative array. |
| value | The value of the cookie. This is similar to the value of a form field or a value in an associative array. |
| expires | The time that the cookie should expire. When this point is reached, it is deleted from the browser, and is no longer sent back to the server in requests. If this value is set to zero, or omitted, the cookie lasts as long as the browser is running, and is automatically deleted when the browser exits. |
| path | The path that the browser should send the cookie back to. |
| domain | By default, a browser only sends a cookie back to the exact computer that sent it. |
| secure | This field, if present, indicates that the cookie should be sent only if the browser has made a secure (https) connection with the server. |
| HttpOnly | This field, if present, tells the browser that it should make the cookie data accessible only to scripts that run on the Web server (that is, via HTTP). |