Full head of Set-cookie

According to the description of the Netscape cookie draft, a cookie is a piece of ASCII text that the Web server sends to the user's browser. Once a cookie is received, the browser stores the piece of information for the cookie in the form of a "name/value" pair (Name-value pairs), stored locally. after that, whenever a new document is requested for the same Web server, the Web browser sends a cookie that was previously stored locally on the site. The original purpose of creating cookies was to enable the Web server to track customers through multiple HTTP requests. Some complex web applications need to be consistent across different web pages, and they require the ability to maintain this session state.
The browser communicates with the Web server through the HTTP protocol, and the cookie is stored in the HTTP protocol's request or answer header (in the HTTP protocol, the data consists of two parts, part of the head, consisting of name-value pairs that describe some of the information to be transmitted.) Part of the body, is the real data (such as HTML pages, etc.) for transmission.
before the HTML document is sent, the Web server sends a Cookie to the user's browser by transmitting the Set-cookie message in the HTTP header.

Here is a full Set-cookie header following the Netscape Cookie draft:

set-cookie:customer=huangxp; path=/foo; domain=.ibm.com;
Expires= Wednesday, 19-oct-05 23:12:40 GMT; [Secure]

Each attribute of the Set-cookie is interpreted as follows:
Customer=huangxp a "name = value" Pair, set the name customer to the value "HUANGXP", which must be in the cookie.
Path=/foo controls which accesses can trigger the sending of cookies. If Path,cookie is not specified, it is sent at all HTTP transfers to this site. If path=/directory, the cookie is sent only if the page below/directory is accessed. In this example, the browser will send this cookie when the user accesses the contents of the directory/foo. If path is specified, but the path does not match the current access URL, the cookie is ignored.
domain=.ibm.com specifies which computer the cookie is sent to. Normally, the cookie is sent back only to the computer that originally sent the cookie to the user. In this example, the cookie is sent to any host in the. ibm.com domain. If domain is set to NULL, domain is set to be the same as the Web server that provides cookies. If domain is not empty and its value does not match the Web server domain name that provides the cookie, the cookie is ignored.
Expires= Wednesday, 19-oct-05 23:12:40 GMT Specifies when the cookie expires. If no expiration time is specified, the cookie is not written to the computer's hard disk and lasts until the end of the session.
Secure if the word secure is used as part of the Set-cookie header, then the Cookie can only be transmitted over a secure channel (currently the SSL channel). Otherwise, the browser ignores this cookie. (vulnerability scanned by IBM AppScan: A vulnerability that lacks the secure attribute in an encrypted session (SSL) cookie, you need to set this property and each Cookie in JS needs to be secured to resolve)
Once the browser has received the cookie, the cookie and successive requests to the remote Web server are sent together by the browser. For example, when the previous cookie is stored in a browser and the browser attempts to request a URL http://www.ibm.com/foo/index.html, the following HTTP header is sent to the remote Web server.
Get/foo/index.html http/1.0
Cookie:customer=huangxp

Http://blog.sina.com.cn/s/blog_70c4d9410100z3il.html