When a cookie is sent via http header to a browser will it be added to the client browser?

H

2

7

I am trying to make connection with an API. When I call a method to this API, it respond with a cookie value sent via HTTP headers.

Will this header be automatically added to the client "my browser?" or do I have to parse the request first and create a cookie using setCookie?

if it does not add the cookies automatically, is there a way to do so?

Heaume answered 11/5, 2015 at 15:40 Comment(0)

S

8

It'll be handled automatically by your http client (you don't need to set it manually). Server should respond with Set-Cookie header (not with cookie), then client will save that cookie, and send it on next requests.

Setting a cookie

Cookies are set using the HTTP Set-Cookie header, sent in an HTTP response. This header instructs the browser to store the cookie and send it back in future requests to the server (the browser will, of course, ignore this header if it does not support cookies or has disabled cookies).

As an example, the browser sends its first request to the homepage of the www.example.org website:

GET /index.html HTTP/1.1
Host: www.example.org
...

The server responds with two Set-Cookie headers:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
...

The server's HTTP response contains the contents of the website's homepage. But it also instructs the browser to set two cookies. The first, "theme", is considered to be a "session" cookie, since it does not have an Expires or Max-Age attribute. Session cookies are typically deleted by the browser when the browser closes. The second, "sessionToken" contains an "Expires" attribute, which instructs the browser to delete the cookie at a specific date and time.

Next, the browser sends another request to visit the spec.html page on the website. This request contains a Cookie header, which contains the two cookies that the server instructed the browser to set.

GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123
...

This way, the server knows that this request is related to the previous one. The server would answer by sending the requested page, and possibly adding other cookies as well using the Set-Cookie header.

The value of a cookie can be modified by the server by including a Set-Cookie header in response to a page request. The browser then replaces the old value with the new value.

The value of a cookie may consist of any printable ASCII character (! through ~, unicode \u0021through \u007E) excluding , and ; and excluding whitespace. The name of a cookie excludes the same characters, as well as =, since that is the delimiter between the name and value. The cookie standard RFC 2965 is more limiting but not implemented by browsers.

The term "cookie crumb" is sometimes used to refer to a cookie's name-value pair.

Cookies can also be set by scripting languages such as JavaScript that run within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name "temperature" and value "20".

See wikipedia page

Stout answered 11/5, 2015 at 15:45 Comment(9)

Thank you for the details provided. To make sure I fully understand the behavior, if the API sends me a cookie with 1 hours expiration time and the use close the browser, then after 30 minutes the user opens it again. When make another call to the API will the header be automatically from the client to the server or do I have to make sure I add the headers to the cURL request each time manually for them to be sent? – Heaume 11/5, 2015 at 15:53

yes, it will be automatically deleted. so the request will not contain expired cookies. – Stout 11/5, 2015 at 15:55

But will it be automatically added to every request until it is expired or do I had to add it the the cURL request each time using CURLOPT_HTTPHEADER "Thus I don't have to manage the cookie from/to API internally"? – Heaume 11/5, 2015 at 15:57

it will be automatically added to all requests – Stout 11/5, 2015 at 16:2

for some reason, if i don't add the header manually to CURLOPT_HTTPHEADER the API does not receive the header. why could be causing this issue? is there an option that I will have to set for the cURL to automatically include the set header via the HTTP header? I tired to use curl_setopt($ch, CURLOPT_COOKIE, true); but it did not auto include the headers – Heaume 11/5, 2015 at 16:42

hm, your are using php cUrl as a http client? I thought browser is the client – Stout 11/5, 2015 at 16:47

I open a browser and use the cURL extension to call the API. The client is the browser when I have a button on a PHP page the will sends the call to the API. – Heaume 11/5, 2015 at 16:51

ah ok, seems curl doesn't save cookies, just try on a browser, it will save cookies. – Stout 11/5, 2015 at 16:54

I am trying it on a browser but it is not sending the cookies – Heaume 11/5, 2015 at 16:55

S

1

Yes, the cookie will be added to document.cookie, unless the httponly param is set when sending the cookie.

Sedation answered 11/5, 2015 at 15:47 Comment(0)

Recommended topics

Hot tags