/ HTTP Headers


The HTTP Cookie header is an essential part of the web’s state management mechanism, allowing servers to store and retrieve small pieces of data on the client side.

Purpose of the Cookie Header

HTTP is a stateless protocol, which means that each request is independent and has no knowledge of previous requests. This can be problematic when it comes to web applications that require maintaining state information, such as user authentication or shopping cart data. This is where cookies come into play.

Cookies are small text files stored on the client’s computer by the web browser. They can be used to store and transmit information between the client and the server across multiple requests. The Cookie header is used to send cookies from the client to the server, while the Set-Cookie header is used by the server to instruct the client to store new cookies.

Cookie Header Syntax

The syntax for the Cookie header is as follows:

Cookie: name1=value1; name2=value2; ...

Each cookie is represented by a name-value pair, separated by an equal sign (=). Multiple cookies can be sent in a single Cookie header, with each name-value pair separated by a semicolon (;) and a space.

Example: Request and Response Headers with Cookies

Let’s look at an example of a client sending a request to a server with a Cookie header, and the server responding with a Set-Cookie header.


GET /example HTTP/1.1
Host: www.example.com
Cookie: session_id=abc123; username=johndoe

In this request, the client sends two cookies to the server: session_id with a value of abc123, and username with a value of johndoe.


HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: session_id=def456; Expires=Wed, 09 Jun 2022 10:18:14 GMT

In the response, the server instructs the client to store a new session_id cookie with a value of def456 and an expiration date of June 9, 2021.

Secure and HttpOnly Attributes

In addition to the name-value pair and expiration date, cookies can have additional attributes to enhance their security. Two common attributes are Secure and HttpOnly.

  • Secure: This attribute indicates that the cookie should only be transmitted over HTTPS connections. This helps protect the cookie from eavesdropping and man-in-the-middle attacks.
  • HttpOnly: This attribute prevents the cookie from being accessed by client-side JavaScript, mitigating the risk of cross-site scripting (XSS) attacks.


Set-Cookie: session_id=def456; Expires=Wed, 09 Jun 2022 10:18:14 GMT; Secure; HttpOnly

In this example, the session_id cookie is marked as both Secure and HttpOnly.

Was this helpful?

Thanks for your feedback!