Cookie field

Cookie carries the stored name and value pairs selected for one HTTP request.

  • cookies
  • fields
  • browsers

Meaning

Cookie is a request field containing the stored cookie name and value pairs a user agent selected for that request. Selection depends on the cookie store, request host and path, secure transport, expiry, same-site context, credentials mode, and browser policy.

Cookie: session=opaque; theme=dark

Expected result: the server receives two application-defined name and value pairs. It does not receive the original Domain, Path, Secure, HttpOnly, SameSite, or expiry attributes.

Set-Cookie asks a user agent to store or update one cookie and its attributes. Cookie later returns only applicable name and value pairs. A server therefore cannot reconstruct the stored attributes from the request field alone.

General-purpose user agents generate the field from their cookie store. Browser scripts cannot reliably set the Cookie request field directly through Fetch; they select an appropriate credentials mode and let the browser perform cookie processing.

Ordering and parsing

Servers should parse the semicolon-separated pairs without depending on their order. Duplicate names can occur when cookies with different paths match the same request, so application cookie handling needs an explicit duplicate policy.

Common mistakes

  • Do not treat the field as proof that a request is authorized.
  • Do not log complete cookie fields; they commonly carry session identifiers.
  • Do not infer Secure, HttpOnly, or SameSite from a returned pair.
  • Do not confuse CORS response access with cookie storage and selection.

Primary sources