We hate cookies! A statement like that will get you a bunch of weird looks, except from people who deal with cookie configurations in the modern world. Cookies have a bad rap, and that's not entirely undeserved. Cookie security used to be messy and difficult, and it has only become more complex over the years. Undoubtedly, you've already bumped into broken cookie configurations or spent countless hours trying to figure out the meaning of a certain flag or its proper configuration value. Let's change that!
In this keynote, we dive into the modern security properties of cookies. We'll cover long-standing best practice configurations, such as the Secure and HttpOnly attributes. We also dive into newer options, such as the SameSite attribute or the cookie security prefixes (__Secure- and __Host-). Finally, we travel to the (very) near future and explore the concept of third-party cookie blocking, and how it will affect you. By the end of this keynote, not only will you understand modern cookie security behavior, but you will also be equipped to properly configure cookies for your applications.