Cookie field
Cookie carries the stored name and value pairs selected for one HTTP request.
- cookies
- fields
- browsers
Meaning
Cookie is a request field containing the stored cookie name and value pairs a
user agent selected for that request. Selection depends on the cookie store,
request host and path, secure transport, expiry, same-site context, credentials
mode, and browser policy.
Cookie: session=opaque; theme=dark
Expected result: the server receives two application-defined name and value
pairs. It does not receive the original Domain, Path, Secure, HttpOnly,
SameSite, or expiry attributes.
Relationship to Set-Cookie
Set-Cookie asks a user agent to store or update one cookie and its attributes.
Cookie later returns only applicable name and value pairs. A server therefore
cannot reconstruct the stored attributes from the request field alone.
General-purpose user agents generate the field from their cookie store. Browser
scripts cannot reliably set the Cookie request field directly through Fetch;
they select an appropriate credentials mode and let the browser perform cookie
processing.
Ordering and parsing
Servers should parse the semicolon-separated pairs without depending on their order. Duplicate names can occur when cookies with different paths match the same request, so application cookie handling needs an explicit duplicate policy.
Common mistakes
- Do not treat the field as proof that a request is authorized.
- Do not log complete cookie fields; they commonly carry session identifiers.
- Do not infer
Secure,HttpOnly, orSameSitefrom a returned pair. - Do not confuse CORS response access with cookie storage and selection.
Primary sources
- RFC 6265 section 4.2, Cookie (rfc)
- Current HTTP Working Group cookie specification draft (primary documentation)
