Send and store cookies

Store cookies the server sends and automatically replay them on later requests — essential for session-based login flows.

Overview

Store cookies the server sends and automatically replay them on later requests — essential for session-based login flows.

In code

# save cookies from login, then reuse them:
curl -c cookies.txt -X POST https://example.com/login \
  -d 'user=alice&pass=s3cret'

curl -b cookies.txt https://example.com/dashboard

# or send a cookie inline:
curl -b 'session=abc123' https://example.com/dashboard
// browser: send cookies with the request (same-origin sends them by default)
await fetch('https://example.com/dashboard', {
  credentials: 'include' // needed for cross-origin cookies
});
// Set-Cookie from the response is handled by the browser, not readable JS
import requests

s = requests.Session()  # persists cookies across requests
s.post('https://example.com/login', data={'user': 'alice', 'pass': 's3cret'})
res = s.get('https://example.com/dashboard')  # cookies sent automatically

Details

curl saves response `Set-Cookie` values into a cookie jar with `-c <file>` and sends them back with `-b <file>`; you can also set one inline with `-b 'name=value'`. In `requests`, a `Session` object persists cookies for you.

In browser `fetch`, sending cookies cross-origin requires `credentials: 'include'`, and the server must respond with `Access-Control-Allow-Credentials: true` plus a specific `Access-Control-Allow-Origin` (no wildcard `*`). A `Set-Cookie` marked `HttpOnly` cannot be read from JS via `document.cookie`.

Mind the cookie attributes: `Secure` restricts sending to HTTPS, `SameSite=Strict|Lax|None` controls cross-site sending (and `SameSite=None` must be paired with `Secure`). These attributes directly govern CSRF protection and cross-site behavior.

Related headers

Related status codes