Cookies are tiny key–value blobs with rules. Chrome enforces those rules rigorously: where the cookie applies (domain/path), when it’s sent (request matching + SameSite), how it’s protected (Secure/HttpOnly), and how long it survives (expiry/eviction). This post walks through the full lifecycle, browser behavior, sharp edges, and production patterns—with TypeScript examples.
- Use server-set,
Secure; HttpOnly; SameSite=Laxcookies for auth. - Scope deliberately with domain and path; avoid accidental overlaps.
- Understand SameSite (and partitioning) for cross-site flows.
- Keep cookies small, few, and purposeful.