7

I am trying to make connection with an API. When I call a method to this API, it respond with a cookie value sent via HTTP headers.

Will this header be automatically added to the client "my browser?" or do I have to parse the request first and create a cookie using setCookie?

if it does not add the cookies automatically, is there a way to do so?

Jaylen
  • 39,043
  • 40
  • 128
  • 221

2 Answers2

9

It'll be handled automatically by your http client (you don't need to set it manually). Server should respond with Set-Cookie header (not with cookie), then client will save that cookie, and send it on next requests.

Setting a cookie

Cookies are set using the HTTP Set-Cookie header, sent in an HTTP response. This header instructs the browser to store the cookie and send it back in future requests to the server (the browser will, of course, ignore this header if it does not support cookies or has disabled cookies).

As an example, the browser sends its first request to the homepage of the www.example.org website:

GET /index.html HTTP/1.1
Host: www.example.org
...

The server responds with two Set-Cookie headers:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
...

The server's HTTP response contains the contents of the website's homepage. But it also instructs the browser to set two cookies. The first, "theme", is considered to be a "session" cookie, since it does not have an Expires or Max-Age attribute. Session cookies are typically deleted by the browser when the browser closes. The second, "sessionToken" contains an "Expires" attribute, which instructs the browser to delete the cookie at a specific date and time.

Next, the browser sends another request to visit the spec.html page on the website. This request contains a Cookie header, which contains the two cookies that the server instructed the browser to set.

GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123
...

This way, the server knows that this request is related to the previous one. The server would answer by sending the requested page, and possibly adding other cookies as well using the Set-Cookie header.

The value of a cookie can be modified by the server by including a Set-Cookie header in response to a page request. The browser then replaces the old value with the new value.

The value of a cookie may consist of any printable ASCII character (! through ~, unicode \u0021through \u007E) excluding , and ; and excluding whitespace. The name of a cookie excludes the same characters, as well as =, since that is the delimiter between the name and value. The cookie standard RFC 2965 is more limiting but not implemented by browsers.

The term "cookie crumb" is sometimes used to refer to a cookie's name-value pair.

Cookies can also be set by scripting languages such as JavaScript that run within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name "temperature" and value "20".

See wikipedia page

l0gg3r
  • 8,864
  • 3
  • 26
  • 46
  • Thank you for the details provided. To make sure I fully understand the behavior, if the API sends me a cookie with 1 hours expiration time and the use close the browser, then after 30 minutes the user opens it again. When make another call to the API will the header be automatically from the client to the server or do I have to make sure I add the headers to the cURL request each time manually for them to be sent? – Jaylen May 11 '15 at 15:53
  • yes, it will be automatically deleted. so the request will not contain expired cookies. – l0gg3r May 11 '15 at 15:55
  • But will it be automatically added to every request until it is expired or do I had to add it the the cURL request each time using `CURLOPT_HTTPHEADER` "Thus I don't have to manage the cookie from/to API internally"? – Jaylen May 11 '15 at 15:57
  • 1
    it will be automatically added to all requests – l0gg3r May 11 '15 at 16:02
  • for some reason, if i don't add the header manually to `CURLOPT_HTTPHEADER` the API does not receive the header. why could be causing this issue? is there an option that I will have to set for the cURL to automatically include the set header via the HTTP header? I tired to use `curl_setopt($ch, CURLOPT_COOKIE, true);` but it did not auto include the headers – Jaylen May 11 '15 at 16:42
  • hm, your are using php cUrl as a http client? I thought browser is the client – l0gg3r May 11 '15 at 16:47
  • I open a browser and use the cURL extension to call the API. The client is the browser when I have a button on a PHP page the will sends the call to the API. – Jaylen May 11 '15 at 16:51
  • ah ok, seems curl doesn't save cookies, just try on a browser, it will save cookies. – l0gg3r May 11 '15 at 16:54
  • I am trying it on a browser but it is not sending the cookies – Jaylen May 11 '15 at 16:55
1

Yes, the cookie will be added to document.cookie, unless the httponly param is set when sending the cookie.

RonaldPK
  • 760
  • 4
  • 18