History, motivating use cases
In the early days of the web, a server had no way to know if two requests came from the same web browser. This was considered as a limitation since it did not allow for instance to keep a user logged-in. This apparent limitation led Netscape to ship a technology called "cookies" in the first version of its Netscape Navigator. It has been quickly adopted by web developers and copied by other web browsers.
With the introduction of
Basics of cookies
How cookies work is defined by the RFC 6265. When receiving an HTTP request, a server can send a
Set-Cookie header with the response. Afterward, the cookie value is sent along with every request made to the same server in the form of a
Cookie HTTP header. Additionally, an expiration delay can be specified. Restrictions to a specific domain and path can be specified as well.
Incompatibility with the REST architectural style
In the dissertation where he defines REST, Roy Fielding says about cookies:
Cookies used as client-side storage
Cookies have been used as client-side storage. While this use could have been considered legitimate at a time when there was no other way to store data on the client side, it is no longer the case in 2012 where it is estimated that 90% of users worldwide have a web browser which is capable of using the local storage API. Since cookies are sent along with every request, it can be an additional performance burden (especially for mobile web).
Since cookies are often used to identify a user in an application, stealing a cookie means stealing the identity of the user in the application.
Also, used in combination with the
Referer (sic) HTTP header, cookies allow user tracking.
When using cookies, a resource (the "R" in "URL") is defined (and generated on the server-side) by the URL and the cookie. In this case, the cookie is used as a secret shared between the client and the server (and hopefully no one else). In a paper, Tyler Close suggests to put the secret directly in the URL (hence called "web keys") and answers to common concerns that could come along with this decision.