A: Wrong. You should be able to access sub-domain
B: Wrong, HttpOnly
Cookie can only be set from server side. Secure
means https only;
C: Correct. If you don't set the max time for cookie, it works like a session
D: Correct. By default, it set Same-Site=Lax
SameSite=Lax
: This is a less restrictive model than Strict
. Cookies will be withheld on cross-site subrequests, like loading images or frames, but will be sent when a user navigates to the URL from an external site, like by following a link.