How to save session cookies in wget
Authenticated downloads often depend on a short-lived web session instead of a static token or HTTP basic-auth credential. Saving session cookies from wget keeps a scripted download sequence inside the same server-side login context and avoids rebuilding the login flow for every request in a batch job.
GNU wget writes cookies with --save-cookies, reloads them with --load-cookies, and only preserves session cookies when --keep-session-cookies is also present. Those saved values use the Netscape cookie-jar format, and session rows are written with an expiry of 0 so later wget runs can treat them as part of the same browser-style session.
Cookie jars are credentials in practice. Keep them in a restricted directory, expect the site to rotate or invalidate them, and delete them when the automation step is complete so the replay window is as small as possible.
Related: How to use custom cookies with wget
Related: How to send POST data with wget
Steps to save session cookies in wget:
- Create and enter an isolated working directory for the cookie jar and the downloaded content.
$ mkdir -p "$HOME/wget-session" $ cd "$HOME/wget-session"
Keeping the jar in a dedicated directory makes cleanup and permission review straightforward once the session is no longer needed.
- Send the login or cookie-setting request with both --save-cookies and --keep-session-cookies enabled.
$ wget --save-cookies session-cookies.txt \ --keep-session-cookies \ --output-document=/dev/null \ 'https://httpbin.org/cookies/set?sessionid=codexdemo123' --2026-03-27 06:56:46-- https://httpbin.org/cookies/set?sessionid=codexdemo123 Resolving httpbin.org (httpbin.org)... 44.221.213.41, 54.146.128.0, 44.196.185.120, ... Connecting to httpbin.org (httpbin.org)|44.221.213.41|:443... connected. HTTP request sent, awaiting response... 302 FOUND Location: /cookies [following] --2026-03-27 06:56:47-- https://httpbin.org/cookies Reusing existing connection to httpbin.org:443. HTTP request sent, awaiting response... 200 OK Length: 55 [application/json] Saving to: '/dev/null' 0K 100% 13.1M=0s 2026-03-27 06:56:47 (13.1 MB/s) - '/dev/null' saved [55/55]Sites that require a form login use the same cookie flow; replace the URL with the real login request and add the matching POST body when needed.
Related: How to send POST data with wget
- Restrict the cookie jar permissions before reusing the saved session.
$ chmod 600 session-cookies.txt $ ls -l session-cookies.txt -rw------- 1 user user 135 Mar 27 06:56 session-cookies.txt
Anyone who can read the jar can usually replay the authenticated session until the site expires or revokes it.
- Inspect the saved jar and confirm the session cookie was written with an expiry of 0.
$ sed -n '1,8p' session-cookies.txt # HTTP Cookie File # Generated by Wget on 2026-03-27 06:52:47. # Edit at your own risk. httpbin.org FALSE / FALSE 0 sessionid codexdemo123
The 0 expiry is how wget marks a saved session cookie when --keep-session-cookies is enabled.
- Reload the jar on the next request and confirm the remote service sees the same session value.
$ wget --load-cookies session-cookies.txt -qO- https://httpbin.org/cookies { "cookies": { "sessionid": "codexdemo123" } }Use a protected page, account dashboard, or echo endpoint that exposes the session state so a redirected login page is not mistaken for success.
- Combine --load-cookies and --save-cookies on later requests when the site refreshes the session during the workflow.
$ wget --load-cookies session-cookies.txt \ --save-cookies session-cookies.txt \ --keep-session-cookies \ -qO- https://httpbin.org/cookies { "cookies": { "sessionid": "codexdemo123" } }Rewriting the same jar lets one automation run carry forward refreshed cookie values without starting over from the login step.
- Remove the session jar after the job finishes.
$ rm -f session-cookies.txt
Delete the jar only after the final authenticated request is complete so the workflow does not lose the session mid-run.