Manual cookie files are useful when an HTTP workflow needs the exact session state from a prior login, a copied browser request, or a reproducible API test. A prepared jar makes repeat requests behave as one session without reauthenticating on every call.
When cURL reads --cookie from a file instead of a literal Cookie: header, it expects the classic Netscape cookie-jar format. Each cookie lives on one line with seven tab-separated fields for domain, subdomain matching, path, secure transport, expiry, name, and value, while comment lines start with #.
Cookie jars often contain live session identifiers, so file permissions matter as much as the syntax. Cookies are only sent when the domain, path, protocol, and expiry rules match the target request, so a file that looks correct can still behave as empty if one field is wrong.
Related: How to save cookies from a cURL request
Related: How to use cookies in cURL requests
Steps to create a cookie file for cURL:
- Create the cookie file and write the Netscape header lines that cURL expects.
$ cat > manual-cookies.txt <<'EOF' # Netscape HTTP Cookie File # https://curl.se/docs/http-cookies.html EOF
- Append the first cookie as seven tab-separated fields for the exact host, path, transport rule, expiry time, name, and value.
$ printf '%s\t%s\t%s\t%s\t%s\t%s\t%s\n' \ 'httpbin.org' 'FALSE' '/' 'TRUE' '2147483647' 'session_id' 'sid_7f3a9c5e21d84b60' \ >> manual-cookies.txt
Field order is domain, include subdomains, path, HTTPS only, expires at, name, and value; use 0 in the expiry field for a session cookie that should not be stored beyond the current session.
- Add more cookie lines only when the request needs additional names or a different scope.
$ printf '%s\t%s\t%s\t%s\t%s\t%s\t%s\n' \ 'httpbin.org' 'FALSE' '/' 'TRUE' '2147483647' 'account_id' 'acct_48291' \ >> manual-cookies.txt
Set field two to TRUE only when the cookie must match subdomains, and set field four to FALSE only when the target request is plain HTTP rather than HTTPS.
- Inspect the file and confirm that each cookie row still has seven tab-separated fields.
$ sed -n '1,4p' manual-cookies.txt # Netscape HTTP Cookie File # https://curl.se/docs/http-cookies.html httpbin.org FALSE / TRUE 2147483647 session_id sid_7f3a9c5e21d84b60 httpbin.org FALSE / TRUE 2147483647 account_id acct_48291 $ awk -F '\t' 'NF && $1 !~ /^#/ { print NF " fields: " $6 "=" $7 }' manual-cookies.txt 7 fields: session_id=sid_7f3a9c5e21d84b60 7 fields: account_id=acct_48291If a row uses spaces instead of tabs, omits a field, or loses its final newline, cURL can ignore that cookie silently.
- Restrict the file so only the current account can read and update the cookie values.
$ chmod 600 manual-cookies.txt
Loose permissions on a cookie jar expose reusable session data to other local users and automation jobs.
- Test the jar with a request that echoes the active cookies back in the response body.
$ curl --silent --cookie manual-cookies.txt https://httpbin.org/cookies { "cookies": { "account_id": "acct_48291", "session_id": "sid_7f3a9c5e21d84b60" } }A matching response confirms that the domain, path, secure flag, and expiry values are valid for that request.
- Remove the file when the test session is no longer needed.
$ rm -f manual-cookies.txt
Short-lived cookie jars reduce accidental session reuse across unrelated scripts.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
