cookies
Cookie
Client sends previously stored cookies that match the request's origin, path, and Secure/SameSite constraints. All applicable name=value pairs are concatenated into a single header.
Cookie: <name>=<value>[; <name>=<value>...] Common directives / values
| Directive | Purpose |
|---|---|
| session=<id> | Server-side session identifier. |
| XSRF-TOKEN=<token> | Anti-CSRF token read by JS and echoed in a request header. |
| consent=true | Preference stored client-side (cookie banner, etc.). |
| lang=en-US | Explicit language override chosen by the user. |
Examples
Cookie: session=abc123; theme=dark Two cookies sent with a single header.
Cookie: __Secure-session=xyz; __Host-csrf=aaa Cookies with security prefixes — only sent over HTTPS.
curl -b 'session=abc123' https://example.com/api curl sending a cookie manually.
Cookie: Empty header sent by some clients to explicitly signal 'no cookies'.
Gotcha
Cookies are size-limited (~4 KB per cookie, ~4 KB total per host on most browsers) — large session state belongs elsewhere. Cross-origin requests only include cookies when credentials: 'include' is set AND the CORS headers permit credentials.
Related headers
Set-Cookie
Server instructs the client to store a cookie with attributes governing lifetime, scope, and security. Each cookie needs its own Set-Cookie header — they are the one HTTP header that MUST NOT be comma-folded.
Authorization
Carries client credentials to the server per the scheme announced in a prior WWW-Authenticate challenge (or agreed out of band). The scheme names the auth mechanism; the credentials are its scheme-specific payload.
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Origin
Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.