How to save session cookies in wget

Some authenticated download flows create a temporary web session instead of exposing a reusable username/password pair or API token. Saving that session cookie in wget lets later requests stay inside the same signed-in state without repeating the login request before every download.

The working flags are --save-cookies to write the jar, --load-cookies to read it on later requests, and --keep-session-cookies when the site marks the cookie as session-only. GNU wget writes the jar in Netscape cookie-file format, and saved session cookies appear with an expiry value of 0.

Cookie jars act like credentials. Store them with restricted permissions, expect the server to rotate or revoke them, and remove them when the authenticated work is done so the session cannot be replayed later.

Related: How to use custom cookies with wget
Related: How to send POST data with wget

Steps to save session cookies in wget:

  1. Send the request that sets the session cookie and write the jar with --save-cookies and --keep-session-cookies. 
    $ wget --save-cookies session-cookies.txt \
  --keep-session-cookies \
  --output-document=/dev/null \
  'https://httpbin.org/cookies/set?portal_session=sess_01JQBX8X4H9R2K7M5N3T6V1'
##### snipped #####
HTTP request sent, awaiting response... 302 FOUND
Location: /cookies [following]
##### snipped #####
HTTP request sent, awaiting response... 200 OK
Length: 79 [application/json]
Saving to: '/dev/null'

'/dev/null' saved [79/79]

    Replace the example URL with the real login or landing request that causes the site to issue the authenticated session cookie.

    Related: How to send POST data with wget

  2. Restrict the cookie jar before reusing it. 
    $ chmod 600 session-cookies.txt

    Anyone who can read the jar can often replay the same session until the site expires or revokes it.

  3. Open the cookie jar and confirm that the saved session row uses an expiry value of 0. 
    $ cat session-cookies.txt
# HTTP Cookie File
# Generated by Wget on 2026-04-22 06:11:04.
# Edit at your own risk.

httpbin.org	FALSE	/	FALSE	0	portal_session	sess_01JQBX8X4H9R2K7M5N3T6V1

    The 0 expiry marks a saved session cookie in the Netscape cookie-file format that wget writes.

  4. Reload the jar on the next request and confirm that the remote service still sees the same session value. 
    $ wget --load-cookies session-cookies.txt \
  --quiet \
  --output-document=- \
  https://httpbin.org/cookies
{
  "cookies": {
    "portal_session": "sess_01JQBX8X4H9R2K7M5N3T6V1"
  }
}

    Check for account-specific content, an expected JSON key, or the normal authenticated page title so a redirected sign-in page is not mistaken for success.

  5. Reload and resave the same jar when later requests refresh the authenticated session. 
    $ wget --load-cookies session-cookies.txt \
  --save-cookies session-cookies.txt \
  --keep-session-cookies \
  --quiet \
  --output-document=- \
  https://httpbin.org/cookies
{
  "cookies": {
    "portal_session": "sess_01JQBX8X4H9R2K7M5N3T6V1"
  }
}

    Use --keep-session-cookies again when resaving the jar or wget will not preserve those session-only rows in the updated file.

  6. Delete the session jar after the last authenticated request finishes. 
    $ rm -f session-cookies.txt

    Deleting the jar too early breaks later authenticated requests, and leaving it behind extends the replay window.