1# HTTP Cookies 2 3## Cookie overview 4 5 Cookies are `name=contents` pairs that an HTTP server tells the client to 6 hold and then the client sends back those to the server on subsequent 7 requests to the same domains and paths for which the cookies were set. 8 9 Cookies are either "session cookies" which typically are forgotten when the 10 session is over which is often translated to equal when browser quits, or 11 the cookies are not session cookies they have expiration dates after which 12 the client will throw them away. 13 14 Cookies are set to the client with the Set-Cookie: header and are sent to 15 servers with the Cookie: header. 16 17 For a long time, the only spec explaining how to use cookies was the 18 original [Netscape spec from 1994](https://curl.se/rfc/cookie_spec.html). 19 20 In 2011, [RFC 6265](https://www.ietf.org/rfc/rfc6265.txt) was finally 21 published and details how cookies work within HTTP. In 2016, an update which 22 added support for prefixes was 23 [proposed](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00), 24 and in 2017, another update was 25 [drafted](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01) 26 to deprecate modification of 'secure' cookies from non-secure origins. Both 27 of these drafts have been incorporated into a proposal to 28 [replace](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11) 29 RFC 6265. Cookie prefixes and secure cookie modification protection has been 30 implemented by curl. 31 32 curl considers `http://localhost` to be a *secure context*, meaning that it 33 will allow and use cookies marked with the `secure` keyword even when done 34 over plain HTTP for this host. curl does this to match how popular browsers 35 work with secure cookies. 36 37## Cookies saved to disk 38 39 Netscape once created a file format for storing cookies on disk so that they 40 would survive browser restarts. curl adopted that file format to allow 41 sharing the cookies with browsers, only to see browsers move away from that 42 format. Modern browsers no longer use it, while curl still does. 43 44 The Netscape cookie file format stores one cookie per physical line in the 45 file with a bunch of associated meta data, each field separated with 46 TAB. That file is called the cookie jar in curl terminology. 47 48 When libcurl saves a cookie jar, it creates a file header of its own in 49 which there is a URL mention that will link to the web version of this 50 document. 51 52## Cookie file format 53 54 The cookie file format is text based and stores one cookie per line. Lines 55 that start with `#` are treated as comments. An exception is lines that 56 start with `#HttpOnly_`, which is a prefix for cookies that have the 57 `HttpOnly` attribute set. 58 59 Each line that specifies a single cookie consists of seven text fields 60 separated with TAB characters. A valid line must end with a newline 61 character. 62 63### Fields in the file 64 65 Field number, what type and example data and the meaning of it: 66 67 0. string `example.com` - the domain name 68 1. boolean `FALSE` - include subdomains 69 2. string `/foobar/` - path 70 3. boolean `TRUE` - send/receive over HTTPS only 71 4. number `1462299217` - expires at - seconds since Jan 1st 1970, or 0 72 5. string `person` - name of the cookie 73 6. string `daniel` - value of the cookie 74 75## Cookies with curl the command line tool 76 77 curl has a full cookie "engine" built in. If you just activate it, you can 78 have curl receive and send cookies exactly as mandated in the specs. 79 80 Command line options: 81 82 `-b, --cookie` 83 84 tell curl a file to read cookies from and start the cookie engine, or if it 85 is not a file it will pass on the given string. `-b name=var` works and so 86 does `-b cookiefile`. 87 88 `-j, --junk-session-cookies` 89 90 when used in combination with -b, it will skip all "session cookies" on load 91 so as to appear to start a new cookie session. 92 93 `-c, --cookie-jar` 94 95 tell curl to start the cookie engine and write cookies to the given file 96 after the request(s) 97 98## Cookies with libcurl 99 100 libcurl offers several ways to enable and interface the cookie engine. These 101 options are the ones provided by the native API. libcurl bindings may offer 102 access to them using other means. 103 104 `CURLOPT_COOKIE` 105 106 Is used when you want to specify the exact contents of a cookie header to 107 send to the server. 108 109 `CURLOPT_COOKIEFILE` 110 111 Tell libcurl to activate the cookie engine, and to read the initial set of 112 cookies from the given file. Read-only. 113 114 `CURLOPT_COOKIEJAR` 115 116 Tell libcurl to activate the cookie engine, and when the easy handle is 117 closed save all known cookies to the given cookie jar file. Write-only. 118 119 `CURLOPT_COOKIELIST` 120 121 Provide detailed information about a single cookie to add to the internal 122 storage of cookies. Pass in the cookie as an HTTP header with all the 123 details set, or pass in a line from a Netscape cookie file. This option can 124 also be used to flush the cookies etc. 125 126 `CURLOPT_COOKIESESSION` 127 128 Tell libcurl to ignore all cookies it is about to load that are session 129 cookies. 130 131 `CURLINFO_COOKIELIST` 132 133 Extract cookie information from the internal cookie storage as a linked 134 list. 135 136## Cookies with JavaScript 137 138 These days a lot of the web is built up by JavaScript. The web browser loads 139 complete programs that render the page you see. These JavaScript programs 140 can also set and access cookies. 141 142 Since curl and libcurl are plain HTTP clients without any knowledge of or 143 capability to handle JavaScript, such cookies will not be detected or used. 144 145 Often, if you want to mimic what a browser does on such websites, you can 146 record web browser HTTP traffic when using such a site and then repeat the 147 cookie operations using curl or libcurl. 148