How to use cookies in cURL requests

Cookies let separate HTTP requests behave like one logged-in or personalized session. Use them when an application expects a session cookie, a preference cookie, or another server-issued value to come back on later requests.

Servers set cookies with the Set-Cookie response header, and clients return them in the Cookie request header. In cURL, --cookie sends cookie data with the request. When the argument looks like name=value, cURL treats it as literal cookie header data. When the argument is a cookie jar path, cURL loads matching rows from that file and sends only the cookies that apply to the target URL.

Use inline cookies when you already know the exact values to send. Use a cookie jar when the server sets or rotates the cookies for you. --cookie-jar writes the updated jar after the transfer finishes, so later requests must pass that file back to --cookie. Keep each jar private to one account or automation run.

Steps to use cookies in cURL requests:

Run a request without cookies so you have a clear before state.
```
$ curl --silent https://httpbin.org/cookies
{
  "cookies": {}
}
```
This makes the later cookie-bearing responses easier to verify because the endpoint starts with no request cookies.
Send one literal cookie with --cookie when you already know the name and value to return.
```
$ curl --silent --cookie "session=sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y" https://httpbin.org/cookies
{
  "cookies": {
    "session": "sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
  }
}
```
If the argument contains =, cURL treats it as cookie header data instead of a filename.

Send several cookies in one request by separating each pair with a semicolon inside the same --cookie string.

$ curl --silent --cookie "session=sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y; pref_region=ap-southeast-1; ui_theme=ops-dark" https://httpbin.org/cookies
{
  "cookies": {
    "pref_region": "ap-southeast-1",
    "session": "sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y",
    "ui_theme": "ops-dark"
  }
}

This is useful for quick tests, but use a cookie jar instead when the server also cares about domain, path, secure, or expiry rules.

Save a reusable cookie jar from a response that sets the session cookie.
```
$ curl --silent --location --cookie-jar cookies.txt "https://httpbin.org/cookies/set?session=sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
{
  "cookies": {
    "session": "sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
  }
}
```
--location follows the redirect to /cookies so the response body shows the cookie that was just set. --cookie-jar writes the jar after the request completes.
Send the saved cookie back on a later request by passing the jar file to --cookie.
```
$ curl --silent --cookie cookies.txt https://httpbin.org/cookies
{
  "cookies": {
    "session": "sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
  }
}
```
cURL reads the jar, matches the cookie against the request URL, and sends only the cookies that belong on that request.
Read and write the same jar in one command when the server rotates the session cookie.
```
$ curl --silent --location --cookie cookies.txt --cookie-jar cookies.txt "https://httpbin.org/cookies/set?session=sess_01JQH1P7T6N2MASKED4R8K3M9X5C"
{
  "cookies": {
    "session": "sess_01JQH1P7T6N2MASKED4R8K3M9X5C"
  }
}
```
This keeps one file current across a login or refresh flow. Use one jar per identity so cookies from different accounts do not overwrite each other.
Confirm the later request sends the rotated value before you reuse the jar in a longer script.
```
$ curl --silent --cookie cookies.txt https://httpbin.org/cookies
{
  "cookies": {
    "session": "sess_01JQH1P7T6N2MASKED4R8K3M9X5C"
  }
}
```
If the response still shows the earlier value, check the request host, path, protocol, and cookie expiry before assuming the jar was ignored.
Remove the jar when the session is no longer needed.
```
$ rm -f cookies.txt
```
Cookie jars are plain-text session state. Deleting short-lived jars reduces accidental reuse and token exposure.