How are cookies passed in the HTTP protocol?

How are cookies passed in the HTTP protocol?

The server sends the following in its response header to set a cookie field.

Set-Cookie: name=value

If there is a cookie set, then the browser sends the following in its request header.

Cookie: name=value

See the HTTP Cookie article at Wikipedia for more information.

Cookies are passed as HTTP headers, both in the request (client -> server), and in the response (server -> client).

Apart from what it's written in other answers, other details related to path of cookie, maximum age of cookie, whether it's secured or not also passed in Set-Cookie response header. For instance:

Set-Cookie: name=value[; expires=date][; domain=domain][; path=path][; secure]

---

However, not all of these details are passed back to the server by the client when making next HTTP request.

You can also set HttpOnly flag at the end of your cookie, to indicate that your cookie is httponly and must not allowed to be accessed, in scripts by javascript code. This helps to prevent attacks such as session-hijacking.

For more information, see RFC 2109. Also have a look at Nicholas C. Zakas's article, HTTP cookies explained.

create example script as resp :

#!/bin/bash

http_code=200
mime=text/html

echo -e "HTTP/1.1 $http_code OK\r"
echo "Content-type: $mime"
echo "Set-Cookie: name=F"
echo

then make executable and execute like this.

./resp | nc -l 12346

open browser and browse URL: http://localhost:12346 you will see Cookie value which is sent by Browser

[aaa@bbbbbbbb ]$ ./resp | nc -l -p 12346
GET / HTTP/1.1
Host: xxx.xxx.xxx.xxx:12346
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ru;q=0.6
Cookie: name=F