Ever returned to a site and found yourself still logged in? That convenience comes from a cookie, a tiny text token the server gives the browser. When you first request website.com, the response includes a Set‑Cookie header; the browser stores the ID and sends it back on subsequent visits, instantly identifying you.

Developers often confuse cookies with LocalStorage. Cookies travel with every HTTP request, making them ideal for authentication, while LocalStorage stays client‑side, perfect for preferences like dark mode. Modern browsers demand three protective attributes—HttpOnly, Secure, and SameSite—to guard against script theft, eavesdropping, and cross‑site request forgery.

To avoid common bugs, enable Secure only on production HTTPS sites, because localhost connections block the cookie. Browsers now cap a cookie’s lifespan at roughly 400 days, so refreshing the token each visit keeps sessions alive. Follow the 2026 playbook: use cookies for login with all three flags, and reserve LocalStorage for UI state.