CookieCookie is the request header a browser uses to send back the cookies a server previously planted via Set-Cookie. It is the core mechanism for keeping session, login, and personalization state on top of stateless HTTP.
The value is `name=value` pairs joined by semicolons, carrying only each cookie's name and value. Attributes like Domain, Path, Expires, Secure, HttpOnly, and SameSite exist only when the server sets them via Set-Cookie; they guide which cookies the browser sends but are never echoed back in the Cookie request header. In short, Cookie (request) and Set-Cookie (response) are a pair with different direction and format.
The browser automatically attaches only cookies whose Domain/Path match the request URL, only over HTTPS if Secure, and as allowed by the SameSite policy. They ride along on every matching request without developer action, so many cookies inflate the header size of all requests.
Precisely because cookies are sent automatically, they are the root cause of CSRF (cross-site request forgery). Defend with SameSite=Lax/Strict and anti-CSRF tokens, and use HttpOnly to block JavaScript access, mitigating session theft via XSS.
Cookie: <name>=<value>[; <name>=<value>]*e.g. Cookie: session_id=abc123; theme=dark; lang=ko