Why do many sites name cookies with a leading underscore?

Question

I've noticed that many sites create cookies named with a leading underscore. I've also seen similar in defaults for various web frameworks.

What is the significance of the leading underscore in cookie names?

Is it simply a convention, or is there a technical reason?

Answer 1

At the time this question was asked, there wasn't a specific technical reason. However, since about 2015 there has been support in browsers for two specific "cookie prefixes":

__Secure- prefix: Cookies with names starting with __Secure- (dash is part of the prefix) must be set with the secure flag from a secure page (HTTPS).

__Host- prefix: Cookies with names starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore, are not sent to subdomains), and the path must be /.

These solve some historical security problems with cookies. By default it is possible for subdomains to set cookies on parent domains, which violates some expectations around the Same-Origin Policy. And it's possible for http:// URLs to set and overwrite cookies that were originally set via an https:// URL. By using these cookie prefixes you can opt out of those problems and into a more secure cookie paradigm.