2024-03-31 17:52:28 +08:00
|
|
|
<!--
|
|
|
|
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
|
|
|
|
|
|
SPDX-License-Identifier: curl
|
|
|
|
-->
|
|
|
|
|
2016-03-29 14:53:40 +08:00
|
|
|
# HTTP Cookies
|
|
|
|
|
|
|
|
## Cookie overview
|
|
|
|
|
2022-03-29 19:58:11 +08:00
|
|
|
Cookies are `name=contents` pairs that an HTTP server tells the client to
|
2016-03-29 14:53:40 +08:00
|
|
|
hold and then the client sends back those to the server on subsequent
|
|
|
|
requests to the same domains and paths for which the cookies were set.
|
|
|
|
|
|
|
|
Cookies are either "session cookies" which typically are forgotten when the
|
|
|
|
session is over which is often translated to equal when browser quits, or
|
2021-10-31 23:34:44 +08:00
|
|
|
the cookies are not session cookies they have expiration dates after which
|
2024-02-27 14:48:10 +08:00
|
|
|
the client throws them away.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
|
|
|
Cookies are set to the client with the Set-Cookie: header and are sent to
|
|
|
|
servers with the Cookie: header.
|
|
|
|
|
2021-11-01 20:43:11 +08:00
|
|
|
For a long time, the only spec explaining how to use cookies was the
|
2020-11-04 21:02:01 +08:00
|
|
|
original [Netscape spec from 1994](https://curl.se/rfc/cookie_spec.html).
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2023-06-25 16:50:17 +08:00
|
|
|
In 2011, [RFC 6265](https://www.ietf.org/rfc/rfc6265.txt) was finally
|
2019-02-17 07:09:30 +08:00
|
|
|
published and details how cookies work within HTTP. In 2016, an update which
|
|
|
|
added support for prefixes was
|
2022-01-22 02:52:33 +08:00
|
|
|
[proposed](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00),
|
2019-02-17 07:09:30 +08:00
|
|
|
and in 2017, another update was
|
2022-01-22 02:52:33 +08:00
|
|
|
[drafted](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01)
|
2019-02-17 07:09:30 +08:00
|
|
|
to deprecate modification of 'secure' cookies from non-secure origins. Both
|
2019-12-06 19:56:14 +08:00
|
|
|
of these drafts have been incorporated into a proposal to
|
2022-11-18 15:55:05 +08:00
|
|
|
[replace](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11)
|
2023-06-25 16:50:17 +08:00
|
|
|
RFC 6265. Cookie prefixes and secure cookie modification protection has been
|
2019-02-17 07:09:30 +08:00
|
|
|
implemented by curl.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2022-11-18 02:08:56 +08:00
|
|
|
curl considers `http://localhost` to be a *secure context*, meaning that it
|
2024-02-27 14:48:10 +08:00
|
|
|
allows and uses cookies marked with the `secure` keyword even when done over
|
|
|
|
plain HTTP for this host. curl does this to match how popular browsers work
|
|
|
|
with secure cookies.
|
2022-11-18 02:08:56 +08:00
|
|
|
|
2024-01-12 23:50:44 +08:00
|
|
|
## Super cookies
|
|
|
|
|
|
|
|
A single cookie can be set for a domain that matches multiple hosts. Like if
|
|
|
|
set for `example.com` it gets sent to both `aa.example.com` as well as
|
|
|
|
`bb.example.com`.
|
|
|
|
|
|
|
|
A challenge with this concept is that there are certain domains for which
|
|
|
|
cookies should not be allowed at all, because they are *Public
|
|
|
|
Suffixes*. Similarly, a client never accepts cookies set directly for the
|
|
|
|
top-level domain like for example `.com`. Cookies set for *too broad*
|
|
|
|
domains are generally referred to as *super cookies*.
|
|
|
|
|
|
|
|
If curl is built with PSL (**Public Suffix List**) support, it detects and
|
|
|
|
discards cookies that are specified for such suffix domains that should not
|
|
|
|
be allowed to have cookies.
|
|
|
|
|
|
|
|
if curl is *not* built with PSL support, it has no ability to stop super
|
|
|
|
cookies.
|
|
|
|
|
2016-03-29 14:53:40 +08:00
|
|
|
## Cookies saved to disk
|
|
|
|
|
|
|
|
Netscape once created a file format for storing cookies on disk so that they
|
|
|
|
would survive browser restarts. curl adopted that file format to allow
|
|
|
|
sharing the cookies with browsers, only to see browsers move away from that
|
|
|
|
format. Modern browsers no longer use it, while curl still does.
|
|
|
|
|
2022-01-30 19:57:24 +08:00
|
|
|
The Netscape cookie file format stores one cookie per physical line in the
|
2016-03-29 14:53:40 +08:00
|
|
|
file with a bunch of associated meta data, each field separated with
|
2022-09-21 05:30:19 +08:00
|
|
|
TAB. That file is called the cookie jar in curl terminology.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2022-09-21 05:30:19 +08:00
|
|
|
When libcurl saves a cookie jar, it creates a file header of its own in
|
2024-02-27 14:48:10 +08:00
|
|
|
which there is a URL mention that links to the web version of this document.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2020-01-11 05:53:05 +08:00
|
|
|
## Cookie file format
|
|
|
|
|
|
|
|
The cookie file format is text based and stores one cookie per line. Lines
|
2023-03-28 05:31:07 +08:00
|
|
|
that start with `#` are treated as comments. An exception is lines that
|
|
|
|
start with `#HttpOnly_`, which is a prefix for cookies that have the
|
|
|
|
`HttpOnly` attribute set.
|
2020-01-11 05:53:05 +08:00
|
|
|
|
2021-09-24 18:43:21 +08:00
|
|
|
Each line that specifies a single cookie consists of seven text fields
|
2020-02-18 21:23:04 +08:00
|
|
|
separated with TAB characters. A valid line must end with a newline
|
|
|
|
character.
|
|
|
|
|
|
|
|
### Fields in the file
|
|
|
|
|
|
|
|
Field number, what type and example data and the meaning of it:
|
|
|
|
|
|
|
|
0. string `example.com` - the domain name
|
|
|
|
1. boolean `FALSE` - include subdomains
|
|
|
|
2. string `/foobar/` - path
|
|
|
|
3. boolean `TRUE` - send/receive over HTTPS only
|
|
|
|
4. number `1462299217` - expires at - seconds since Jan 1st 1970, or 0
|
|
|
|
5. string `person` - name of the cookie
|
|
|
|
6. string `daniel` - value of the cookie
|
2020-01-11 05:53:05 +08:00
|
|
|
|
2016-03-29 14:53:40 +08:00
|
|
|
## Cookies with curl the command line tool
|
|
|
|
|
|
|
|
curl has a full cookie "engine" built in. If you just activate it, you can
|
|
|
|
have curl receive and send cookies exactly as mandated in the specs.
|
|
|
|
|
|
|
|
Command line options:
|
|
|
|
|
|
|
|
`-b, --cookie`
|
|
|
|
|
|
|
|
tell curl a file to read cookies from and start the cookie engine, or if it
|
2024-02-27 14:48:10 +08:00
|
|
|
is not a file it passes on the given string. `-b name=var` works and so does
|
|
|
|
`-b cookiefile`.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
|
|
|
`-j, --junk-session-cookies`
|
|
|
|
|
2024-02-27 14:48:10 +08:00
|
|
|
when used in combination with -b, it skips all "session cookies" on load so
|
|
|
|
as to appear to start a new cookie session.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
|
|
|
`-c, --cookie-jar`
|
|
|
|
|
|
|
|
tell curl to start the cookie engine and write cookies to the given file
|
|
|
|
after the request(s)
|
|
|
|
|
|
|
|
## Cookies with libcurl
|
|
|
|
|
|
|
|
libcurl offers several ways to enable and interface the cookie engine. These
|
|
|
|
options are the ones provided by the native API. libcurl bindings may offer
|
|
|
|
access to them using other means.
|
|
|
|
|
|
|
|
`CURLOPT_COOKIE`
|
|
|
|
|
|
|
|
Is used when you want to specify the exact contents of a cookie header to
|
|
|
|
send to the server.
|
|
|
|
|
|
|
|
`CURLOPT_COOKIEFILE`
|
|
|
|
|
|
|
|
Tell libcurl to activate the cookie engine, and to read the initial set of
|
|
|
|
cookies from the given file. Read-only.
|
|
|
|
|
|
|
|
`CURLOPT_COOKIEJAR`
|
|
|
|
|
|
|
|
Tell libcurl to activate the cookie engine, and when the easy handle is
|
2022-09-21 05:30:19 +08:00
|
|
|
closed save all known cookies to the given cookie jar file. Write-only.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
|
|
|
`CURLOPT_COOKIELIST`
|
|
|
|
|
|
|
|
Provide detailed information about a single cookie to add to the internal
|
2022-03-29 19:58:11 +08:00
|
|
|
storage of cookies. Pass in the cookie as an HTTP header with all the
|
|
|
|
details set, or pass in a line from a Netscape cookie file. This option can
|
|
|
|
also be used to flush the cookies etc.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2022-05-05 17:51:07 +08:00
|
|
|
`CURLOPT_COOKIESESSION`
|
|
|
|
|
|
|
|
Tell libcurl to ignore all cookies it is about to load that are session
|
|
|
|
cookies.
|
|
|
|
|
2016-03-29 14:53:40 +08:00
|
|
|
`CURLINFO_COOKIELIST`
|
|
|
|
|
|
|
|
Extract cookie information from the internal cookie storage as a linked
|
|
|
|
list.
|
|
|
|
|
2022-04-21 23:05:36 +08:00
|
|
|
## Cookies with JavaScript
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2022-09-21 05:30:19 +08:00
|
|
|
These days a lot of the web is built up by JavaScript. The web browser loads
|
2022-04-21 23:05:36 +08:00
|
|
|
complete programs that render the page you see. These JavaScript programs
|
2016-03-29 14:53:40 +08:00
|
|
|
can also set and access cookies.
|
|
|
|
|
|
|
|
Since curl and libcurl are plain HTTP clients without any knowledge of or
|
2024-02-27 14:48:10 +08:00
|
|
|
capability to handle JavaScript, such cookies are not detected or used.
|
2016-03-29 14:53:40 +08:00
|
|
|
|
2020-08-17 04:36:10 +08:00
|
|
|
Often, if you want to mimic what a browser does on such websites, you can
|
2016-03-29 14:53:40 +08:00
|
|
|
record web browser HTTP traffic when using such a site and then repeat the
|
|
|
|
cookie operations using curl or libcurl.
|