Store cookies the server sends and automatically replay them on later requests — essential for session-based login flows.
Store cookies the server sends and automatically replay them on later requests — essential for session-based login flows.
# save cookies from login, then reuse them:
curl -c cookies.txt -X POST https://example.com/login \
-d 'user=alice&pass=s3cret'
curl -b cookies.txt https://example.com/dashboard
# or send a cookie inline:
curl -b 'session=abc123' https://example.com/dashboard// browser: send cookies with the request (same-origin sends them by default)
await fetch('https://example.com/dashboard', {
credentials: 'include' // needed for cross-origin cookies
});
// Set-Cookie from the response is handled by the browser, not readable JSimport requests
s = requests.Session() # persists cookies across requests
s.post('https://example.com/login', data={'user': 'alice', 'pass': 's3cret'})
res = s.get('https://example.com/dashboard') # cookies sent automaticallycurl saves response `Set-Cookie` values into a cookie jar with `-c <file>` and sends them back with `-b <file>`; you can also set one inline with `-b 'name=value'`. In `requests`, a `Session` object persists cookies for you.
In browser `fetch`, sending cookies cross-origin requires `credentials: 'include'`, and the server must respond with `Access-Control-Allow-Credentials: true` plus a specific `Access-Control-Allow-Origin` (no wildcard `*`). A `Set-Cookie` marked `HttpOnly` cannot be read from JS via `document.cookie`.
Mind the cookie attributes: `Secure` restricts sending to HTTPS, `SameSite=Strict|Lax|None` controls cross-site sending (and `SameSite=None` must be paired with `Secure`). These attributes directly govern CSRF protection and cross-site behavior.