How to use cookies in cURL requests

Cookies keep stateful HTTP workflows consistent when separate requests need to behave like one browser session. That matters for authenticated API calls, personalized pages, and automation that depends on server-side session data instead of isolated one-off requests.

Servers create or update cookies through the Set-Cookie response header, and cURL sends matching values back in the Cookie request header. In practice, --cookie accepts either a literal cookie string or a Netscape-format cookie file, while --cookie-jar starts the cookie engine and writes any updated values back to disk after the request completes.

Cookie reuse only works when domain, path, secure, and expiration rules line up with the target request, so a jar that works for one host or account can be ignored or misapplied elsewhere. Keep jar files private, do not mix identities in the same jar, and remember that login or cookie-setting endpoints often redirect, which is why the workflow below uses --location when it needs both the final response body and the updated jar. The example values below stay masked while preserving the shape of real session-style identifiers.

Steps to use cookies in cURL requests:

Run a baseline request without cookies to confirm the endpoint returns no active cookie state.
```
$ curl --silent https://httpbin.org/cookies
{
  "cookies": {}
}
```
This control response makes it easy to confirm that later cookie-bearing requests are actually changing server-side state.
Send a literal cookie with --cookie to add one name-value pair to the request.
```
$ curl --silent --cookie "session=sess_01JQF6Z2M9R4********5T7V8W1X3Y" https://httpbin.org/cookies
{
  "cookies": {
    "session": "sess_01JQF6Z2M9R4********5T7V8W1X3Y"
  }
}
```
When the argument is not treated as a file path, cURL sends it as cookie header data for that request.

Pass multiple cookies in one request by separating pairs with semicolons inside the same --cookie value.

$ curl --silent --cookie "session=sess_01JQF6Z2M9R4********5T7V8W1X3Y; pref_region=ap-southeast-1; ui_theme=ops-dark" https://httpbin.org/cookies
{
  "cookies": {
    "pref_region": "ap-southeast-1",
    "session": "sess_01JQF6Z2M9R4********5T7V8W1X3Y",
    "ui_theme": "ops-dark"
  }
}

Use a cookie file instead of a long inline string when host, path, secure, or expiry metadata also needs to be preserved.

Create a dedicated working directory so a reusable cookie jar stays isolated from unrelated requests.
```
$ mkdir -p curl-cookie-use
$ cd curl-cookie-use
```
Keeping the jar in a short-lived workspace reduces accidental reuse across different accounts or automation runs.
Request an endpoint that sets a cookie and save the returned state with --cookie-jar.
```
$ curl --silent --location --cookie-jar cookies.txt "https://httpbin.org/cookies/set?session=sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
{
  "cookies": {
    "session": "sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
  }
}
```
--location follows the redirect to /cookies so the response body shows the final cookie state, while --cookie-jar writes the saved cookie to disk after the request finishes.
Restrict the jar file before reusing it so only the current user can read and update the stored session values.
```
$ chmod 600 cookies.txt
```
Cookie jars can contain live session identifiers and should not be left world-readable or shared between users.

Inspect the jar to confirm the stored host, path, and cookie value match the server response.

$ sed -n '1,6p' cookies.txt
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

httpbin.org	FALSE	/	FALSE	0	session	sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y

Netscape cookie files are tab-separated with domain, subdomain-matching, path, secure flag, expiry, name, and value fields.

Reuse the jar on a later request by passing the file back through --cookie.
```
$ curl --silent --cookie cookies.txt https://httpbin.org/cookies
{
  "cookies": {
    "session": "sess_01JQF6Z2M9R4MASKED5T7V8W1X3Y"
  }
}
```
--cookie reads matching entries from the jar and sends only the cookies that apply to the request URL.

Read and write the same jar in one command when the server rotates a session cookie.

$ curl --silent --location --cookie cookies.txt --cookie-jar cookies.txt "https://httpbin.org/cookies/set?session=sess_01JQH1P7T6N2MASKED4R8K3M9X5C"
{
  "cookies": {
    "session": "sess_01JQH1P7T6N2MASKED4R8K3M9X5C"
  }
}

Using the same file for both options keeps the jar current, but only when that file belongs to one authentication context.

Verify the refreshed jar on a follow-up request before using it in a longer script.
```
$ curl --silent --cookie cookies.txt https://httpbin.org/cookies
{
  "cookies": {
    "session": "sess_01JQH1P7T6N2MASKED4R8K3M9X5C"
  }
}
```
The follow-up response should show the updated value from the jar rather than the earlier cookie state.
Remove the jar when the session is no longer needed.
```
$ rm -f cookies.txt
```
Deleting short-lived cookie jars limits token exposure and prevents stale sessions from being reused by mistake.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.