I've noticed that many sites create cookies named with a leading underscore. I've also seen similar in defaults for various web frameworks.
What is the significance of the leading underscore in cookie names?
Is it simply a convention, or is there a technical reason?
At the time this question was asked, there wasn't a specific technical reason. However, since about 2015 there has been support in browsers for two specific "cookie prefixes":
__Secure- prefix: Cookies with names starting with __Secure- (dash is part of the prefix) must be set with the secure flag from a secure page (HTTPS).
__Host- prefix: Cookies with names starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore, are not sent to subdomains), and the path must be /.
These solve some historical security problems with cookies. By default it is possible for subdomains to set cookies on parent domains, which violates some expectations around the Same-Origin Policy. And it's possible for http://
URLs to set and overwrite cookies that were originally set via an https://
URL. By using these cookie prefixes you can opt out of those problems and into a more secure cookie paradigm.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With