cookies

Cookie

Client sends previously stored cookies that match the request's origin, path, and Secure/SameSite constraints. All applicable name=value pairs are concatenated into a single header.

Cookie: <name>=<value>[; <name>=<value>...]

Common directives / values

Directive Purpose
session=<id> Server-side session identifier.
XSRF-TOKEN=<token> Anti-CSRF token read by JS and echoed in a request header.
consent=true Preference stored client-side (cookie banner, etc.).
lang=en-US Explicit language override chosen by the user.

Examples

Cookie: session=abc123; theme=dark

Two cookies sent with a single header.

Cookie: __Secure-session=xyz; __Host-csrf=aaa

Cookies with security prefixes — only sent over HTTPS.

curl -b 'session=abc123' https://example.com/api

curl sending a cookie manually.

Cookie:

Empty header sent by some clients to explicitly signal 'no cookies'.

Gotcha

Cookies are size-limited (~4 KB per cookie, ~4 KB total per host on most browsers) — large session state belongs elsewhere. Cross-origin requests only include cookies when credentials: 'include' is set AND the CORS headers permit credentials.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors