run this example with nodejs, through node index.js.
This creates two servers, an unsecured server on port 7888 and a secured server on port 7889
You can then visit:
- wasec.local, which sets a host-only cookie
- the subdomain sub.wasec.local, which doesn't have access to the host-only cookie
- wasec.local?domain=on, which sets a cookie on the wasec.local domain and its subdomains
- sub.wasec.local again, which has access to the Domain cookie
- you can set a secure cookie at wasec.local?secure=on
- verify that it is not available when accessing the app via HTTP
- check that HttpOnly cookies are not available to JavaScript: open the devtools, you will see an additional cookie that's not printed on the webpage
- try setting a SameSite cookie: then try executing a cross-site request forgery and see the cookie is not sent along the request. If you instead navigate to wasec.local:7888 yourself you will see the cookie sent across with the request