What immediate stands out to me: the secure attribute is not set (only transmit via TLS, never unencrypted). Also - especially if used for a session cookie - the HttpOnly attribute should probably also be set (=value not accessible from JS, only sent in request headers).
Oh right, that makes sense; it’s been quite a while since I’ve done web development. That seems rather subtle though, right? Not sure if the comic OP is just flat anti-cookie without nuance but it gives that vibes
What immediate stands out to me: the
secureattribute is not set (only transmit via TLS, never unencrypted). Also - especially if used for a session cookie - theHttpOnlyattribute should probably also be set (=value not accessible from JS, only sent in request headers).Oh right, that makes sense; it’s been quite a while since I’ve done web development. That seems rather subtle though, right? Not sure if the comic OP is just flat anti-cookie without nuance but it gives that vibes
I guess it’s flat anti cookie.