310

How are cookies passed in the HTTP protocol?

jai
  • 21,519
  • 31
  • 89
  • 120

4 Answers4

352

The server sends the following in its response header to set a cookie field.

Set-Cookie:name=value

If there is a cookie set, then the browser sends the following in its request header.

Cookie:name=value

See the HTTP Cookie article at Wikipedia for more information.

Nathan
  • 8,093
  • 8
  • 50
  • 76
deinst
  • 18,402
  • 3
  • 47
  • 45
  • Is it true that the cookie only work with GET/POST verb, but not CONNECT? – PerlDev Jul 12 '12 at 13:10
  • 5
    @PerlDev There is nothing that I can see in [rfc2109](http://tools.ietf.org/html/rfc2109) that says that it should not work with requests other than GET/POST, but I suspect that the browser and server implementations may not implement it in those cases. – deinst Jul 12 '12 at 15:02
  • 9
    Note that according to [RFC 2109](https://www.ietf.org/rfc/rfc2109.txt) if a user agent or browser sends multiple cookies, it will put them in a single field delimited by semicolons: `Cookie: name1=value1; name2=value2; ...` – jotrocken May 04 '18 at 15:16
  • but where are the cookies stored, client side? In `localStorage`? – Juan Perez Jun 09 '23 at 20:35
44

Cookies are passed as HTTP headers, both in the request (client -> server), and in the response (server -> client).

Douglas Leeder
  • 52,368
  • 9
  • 94
  • 137
37

Apart from what it's written in other answers, other details related to path of cookie, maximum age of cookie, whether it's secured or not also passed in Set-Cookie response header. For instance:

Set-Cookie:name=value[; expires=date][; domain=domain][; path=path][; secure]

However, not all of these details are passed back to the server by the client when making next HTTP request.

You can also set HttpOnly flag at the end of your cookie, to indicate that your cookie is httponly and must not allowed to be accessed, in scripts by javascript code. This helps to prevent attacks such as session-hijacking.

For more information, see RFC 2109. Also have a look at Nicholas C. Zakas's article, HTTP cookies explained.

Joshua Taylor
  • 84,998
  • 9
  • 154
  • 353
Mangu Singh Rajpurohit
  • 10,806
  • 4
  • 68
  • 97
  • 2
    Here is a direct link to Zakas's article, rather than a wayback link: https://humanwhocodes.com/blog/2009/05/05/http-cookies-explained/ – Joseph Dykstra Dec 11 '18 at 22:37
13

create example script as resp :

#!/bin/bash

http_code=200
mime=text/html

echo -e "HTTP/1.1 $http_code OK\r"
echo "Content-type: $mime"
echo "Set-Cookie: name=F"
echo

then make executable and execute like this.

./resp | nc -l 12346

open browser and browse URL: http://localhost:12346 you will see Cookie value which is sent by Browser

    [aaa@bbbbbbbb ]$ ./resp | nc -l -p 12346
    GET / HTTP/1.1
    Host: xxx.xxx.xxx.xxx:12346
    Connection: keep-alive
    Cache-Control: max-age=0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: en-US,en;q=0.8,ru;q=0.6
    Cookie: name=F
mbuechmann
  • 5,413
  • 5
  • 27
  • 40
aze2201
  • 453
  • 5
  • 12