Cookies Have state __Host __Server prefixes Same Site, HttpOnly, Secure Anti Forgery Tokens Use same domain