HTTP headers / response header
Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax
The server storing state in the client: one cookie per Set-Cookie header, with attributes controlling scope (Domain/Path), lifetime (Max-Age), and security (Secure/HttpOnly/SameSite).
Multiple cookies need multiple Set-Cookie headers — joining them with commas corrupts them, a classic proxy/serverless bug.
The fastest way to see what Set-Cookie is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · WWW-Authenticate · Content-Encoding · Transfer-Encoding · ETag · Last-Modified · Expires
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.