How can we have a server remember or trust a visitor

identifying and trusting requests

When the server set a cookie once in any response they will be saved to the browser and then the browser will send those cookies back with every request to that domain

the cookie will be set by default where it can be accessed by javascript that's okay for things not security related like layout or color scheme

for security, we can send the cookie with httpOnly flag and then it will not be accessible from javascript and only sent with the requests

adding the secure flag will make the cookie only run with https requests/responses

maxAge flag will set the expiration time of the cookie, measured in milliseconds after the cookie is created

CSRF Cross Site Request Forgery, since cookies are sent with every request to our server and it does not matter who is initiating the request

a malicious page can make a request using a form or an ajax request and the browser will send the cookie that we set before to the site

if our server is using only the cookie value to make action it will cause a problem since the user might not know the action was being triggered

one way to avoid it is to use a CSRF token

session is a cookie with a token as a value, the token will be used on the server to pull information stored about the current session

the reason we don't store the values directly in cookies on the browser is, on the browser the user can modify and manipulate the cookie value

the user can still modify the token and write something diffrent but since our server only accepts tokens generated from it, it will never accept the cookie