Cookies let an HTTP client preserve state across calls, which is required when sessions, preferences, or feature flags depend on prior requests. In automation, this means login flows, personalized pages, and quota behavior remain predictable only when the correct cookie context is reused.
Under the hood, servers send state via the Set-Cookie response header, and cURL re-sends that state with the Cookie request header. The tool reads cookie values from a literal string or a Netscape format file through --cookie, and can persist refreshed values with --cookie-jar so the next request continues the same session.
Cookie boundaries can be subtle: domain, path, protocol, expiration, and flags determine when a cookie is valid. Improper file permissions or incorrect scope can leak session secrets into unrelated requests, so keep cookie stores protected, avoid committing them, and reuse the same jar only within the same authentication context.
Related: How to save cookies from a cURL request
Related: How to create a cookie file for cURL
Steps to use cookies in cURL requests:
- Run a baseline cURL request without a cookie to confirm the endpoint reports no active session values.
$ curl --silent https://httpbin.org/cookies { "cookies": {} }
This baseline output is your control comparison before adding cookie headers.
- Send a request with a single cookie using --cookie to confirm the server receives it.
$ curl --silent --cookie "session=abc123" https://httpbin.org/cookies { "cookies": { "session": "abc123" } }
The --cookie "name=value" syntax sends a single pair as part of the request's Cookie header.
- Attach several cookies in one string by separating name-value pairs with semicolons in the same --cookie argument.
$ curl --silent --cookie "session=abc123; theme=dark; lang=en" https://httpbin.org/cookies { "cookies": { "lang": "en", "session": "abc123", "theme": "dark" } }
All pairs in one header apply together for that request, and server responses should reflect the combined state.
- Read cookies from a local jar by passing a Netscape format file path to --cookie.
$ curl --silent --cookie "./curl-cookies.txt" https://httpbin.org/cookies { "cookies": { "session": "abc123" } }
Do not share jar files across different credentials or automation jobs because token replay can persist stale privileges.
- Persist returned cookies back into the same jar with --cookie and --cookie-jar.
$ curl --silent --cookie "./curl-cookies.txt" --cookie-jar "./curl-cookies.txt" https://httpbin.org/cookies/set?session=def456
Use separate files for independent identities to avoid mixing auth state from unrelated tasks.
- Inspect the jar file to verify host, path, and value updates match what the server supplied.
$ sed -n '1,6p' curl-cookies.txt # Netscape HTTP Cookie File # https://curl.se/docs/http-cookies.html # This file was generated by libcurl. Edit at your own risk. httpbin.org FALSE / FALSE 0 session def456
Netscape cookie files are tab-separated with domain, path, secure flag, expiry, name, and value fields.
- Verify that a follow-up request uses the persisted jar by checking the same endpoint response.
$ curl --silent --cookie "./curl-cookies.txt" https://httpbin.org/cookies { "cookies": { "session": "def456" } }
Successful state continuity appears as the expected session name and value in the response payload.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
