HttpOnly hides the cookie from JavaScript to blunt XSS. Secure keeps it to HTTPS. SameSite controls cross-site sending and is the core CSRF defense, and SameSite=None only works alongside Secure. Domain and Path scope where it applies; Max-Age and Expires decide how long it lives.
Common questions and answers about this topic.
Strict never sends the cookie cross-site; Lax sends it only on top-level navigations like clicking a link; None sends it on all cross-site requests but requires Secure. Lax is the modern browser default.
HttpOnly stops JavaScript from reading the cookie (defense against XSS theft). Secure stops it being sent over plain HTTP (defense against network interception). They protect against different attacks, so sensitive cookies usually set both.
If it has neither Max-Age nor Expires, it's a session cookie and disappears when the browser closes. Max-Age (seconds from now) wins over Expires (an absolute date); a Max-Age of 0 or less deletes it immediately.
No. Everything is parsed entirely in your browser, and nothing you paste leaves your device.