• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# HTTP Cookies
2
3## Cookie overview
4
5  Cookies are `name=contents` pairs that an HTTP server tells the client to
6  hold and then the client sends back those to the server on subsequent
7  requests to the same domains and paths for which the cookies were set.
8
9  Cookies are either "session cookies" which typically are forgotten when the
10  session is over which is often translated to equal when browser quits, or
11  the cookies are not session cookies they have expiration dates after which
12  the client will throw them away.
13
14  Cookies are set to the client with the Set-Cookie: header and are sent to
15  servers with the Cookie: header.
16
17  For a long time, the only spec explaining how to use cookies was the
18  original [Netscape spec from 1994](https://curl.se/rfc/cookie_spec.html).
19
20  In 2011, [RFC 6265](https://www.ietf.org/rfc/rfc6265.txt) was finally
21  published and details how cookies work within HTTP. In 2016, an update which
22  added support for prefixes was
23  [proposed](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00),
24  and in 2017, another update was
25  [drafted](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01)
26  to deprecate modification of 'secure' cookies from non-secure origins. Both
27  of these drafts have been incorporated into a proposal to
28  [replace](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11)
29  RFC 6265. Cookie prefixes and secure cookie modification protection has been
30  implemented by curl.
31
32  curl considers `http://localhost` to be a *secure context*, meaning that it
33  will allow and use cookies marked with the `secure` keyword even when done
34  over plain HTTP for this host. curl does this to match how popular browsers
35  work with secure cookies.
36
37## Cookies saved to disk
38
39  Netscape once created a file format for storing cookies on disk so that they
40  would survive browser restarts. curl adopted that file format to allow
41  sharing the cookies with browsers, only to see browsers move away from that
42  format. Modern browsers no longer use it, while curl still does.
43
44  The Netscape cookie file format stores one cookie per physical line in the
45  file with a bunch of associated meta data, each field separated with
46  TAB. That file is called the cookie jar in curl terminology.
47
48  When libcurl saves a cookie jar, it creates a file header of its own in
49  which there is a URL mention that will link to the web version of this
50  document.
51
52## Cookie file format
53
54  The cookie file format is text based and stores one cookie per line. Lines
55  that start with `#` are treated as comments. An exception is lines that
56  start with `#HttpOnly_`, which is a prefix for cookies that have the
57  `HttpOnly` attribute set.
58
59  Each line that specifies a single cookie consists of seven text fields
60  separated with TAB characters. A valid line must end with a newline
61  character.
62
63### Fields in the file
64
65  Field number, what type and example data and the meaning of it:
66
67  0. string `example.com` - the domain name
68  1. boolean `FALSE` - include subdomains
69  2. string `/foobar/` - path
70  3. boolean `TRUE` - send/receive over HTTPS only
71  4. number `1462299217` - expires at - seconds since Jan 1st 1970, or 0
72  5. string `person` - name of the cookie
73  6. string `daniel` - value of the cookie
74
75## Cookies with curl the command line tool
76
77  curl has a full cookie "engine" built in. If you just activate it, you can
78  have curl receive and send cookies exactly as mandated in the specs.
79
80  Command line options:
81
82  `-b, --cookie`
83
84  tell curl a file to read cookies from and start the cookie engine, or if it
85  is not a file it will pass on the given string. `-b name=var` works and so
86  does `-b cookiefile`.
87
88  `-j, --junk-session-cookies`
89
90  when used in combination with -b, it will skip all "session cookies" on load
91  so as to appear to start a new cookie session.
92
93  `-c, --cookie-jar`
94
95  tell curl to start the cookie engine and write cookies to the given file
96  after the request(s)
97
98## Cookies with libcurl
99
100  libcurl offers several ways to enable and interface the cookie engine. These
101  options are the ones provided by the native API. libcurl bindings may offer
102  access to them using other means.
103
104  `CURLOPT_COOKIE`
105
106  Is used when you want to specify the exact contents of a cookie header to
107  send to the server.
108
109  `CURLOPT_COOKIEFILE`
110
111  Tell libcurl to activate the cookie engine, and to read the initial set of
112  cookies from the given file. Read-only.
113
114  `CURLOPT_COOKIEJAR`
115
116  Tell libcurl to activate the cookie engine, and when the easy handle is
117  closed save all known cookies to the given cookie jar file. Write-only.
118
119  `CURLOPT_COOKIELIST`
120
121  Provide detailed information about a single cookie to add to the internal
122  storage of cookies. Pass in the cookie as an HTTP header with all the
123  details set, or pass in a line from a Netscape cookie file. This option can
124  also be used to flush the cookies etc.
125
126  `CURLOPT_COOKIESESSION`
127
128  Tell libcurl to ignore all cookies it is about to load that are session
129  cookies.
130
131  `CURLINFO_COOKIELIST`
132
133  Extract cookie information from the internal cookie storage as a linked
134  list.
135
136## Cookies with JavaScript
137
138  These days a lot of the web is built up by JavaScript. The web browser loads
139  complete programs that render the page you see. These JavaScript programs
140  can also set and access cookies.
141
142  Since curl and libcurl are plain HTTP clients without any knowledge of or
143  capability to handle JavaScript, such cookies will not be detected or used.
144
145  Often, if you want to mimic what a browser does on such websites, you can
146  record web browser HTTP traffic when using such a site and then repeat the
147  cookie operations using curl or libcurl.
148