Curl -- Cookies and Sessions

How to use cURL to send Cookies?

This worked for me:

curl -v --cookie "USER_TOKEN=Yes" http://127.0.0.1:5000/

I could see the value in backend using

print(request.cookies)

Save cookies between two curl requests

Use the --cookie-jar or --dump-header parameter to save received cookies to a file. The --cookie parameter can read back the cookies from that file later.

-b, --cookie <name=data>

(HTTP) Pass the data to the HTTP server as a cookie. It is supposedly the data previously received from the server in a "Set-Cookie:" line. The data should be in the format "NAME1=VALUE1; NAME2=VALUE2".

If no '=' symbol is used in the line, it is treated as a filename to use to read previously stored cookie lines from, which should be used in this session if they match. Using this method also activates the cookie engine which will make curl record incoming cookies too, which may be handy if you're using this in combination with the -L, --location option. The file format of the file to read cookies from should be plain HTTP headers (Set-Cookie style) or the Netscape/Mozilla cookie file format.

The file specified with -b, --cookie is only used as input. No cookies will be written to the file. To store cookies, use the -c, --cookie-jar option.

Exercise caution if you are using this option and multiple transfers may occur. If you use the NAME1=VALUE1; format, or in a file use the Set-Cookie format and don't specify a domain, then the cookie is sent for any domain (even after redirects are followed) and cannot be modified by a server-set cookie. If the cookie engine is enabled and a server sets a cookie of the same name then both will be sent on a future transfer to that server, likely not what you intended. To address these issues set a domain in Set-Cookie (doing that will include sub-domains) or use the Netscape format.

If this option is used several times, the last one will be used.

-c, --cookie-jar <file name>

(HTTP) Specify to which file you want curl to write all cookies after a completed operation. Curl writes all cookies previously read from a specified file as well as all cookies received from remote server(s). If no cookies are known, no data will be written. The file will be written using the Netscape cookie file format. If you set the file name to a single dash, "-", the cookies will be written to stdout.

This command line option will activate the cookie engine that makes curl record and use cookies. Another way to activate it is to use the -b, --cookie option.

If the cookie jar can't be created or written to, the whole curl operation won't fail or even report an error clearly. Using -v will get a warning displayed, but that is the only visible feedback you get about this possibly lethal situation.

Since 7.43.0 cookies that were imported in the Set-Cookie format without a domain name are not exported by this option.

If this option is used several times, the last specified file name will be used.

-D, --dump-header <file>

Write the protocol headers to the specified file.

This option is handy to use when you want to store the headers that an HTTP site sends to you. Cookies from the headers could then be read in a second curl invocation by using the -b, --cookie option! The -c, --cookie-jar option is a better way to store cookies.

When used in FTP, the FTP server response lines are considered being "headers" and thus are saved there.

If this option is used several times, the last one will be used

Alternatively, instead of using the command-line cURL app, write some code that uses the libCurl library. That will give you more direct control over cookie handling. libCurl has several features related to HTTP cookies:

Options for curl_easy_getinfo():

CURLINFO_COOKIELIST - get all known cookies

Options for curl_easy_setopt():

CURLOPT_COOKIE - set contents of HTTP Cookie header
CURLOPT_COOKIEFILE - file name to read cookies from
CURLOPT_COOKIEJAR - file name to store cookies to
CURLOPT_COOKIESESSION - start a new cookie session
CURLOPT_COOKIELIST - add to or manipulate cookies held in memory

Then you can store the cookies however you want, and assign them as needed to later HTTP sessions.

Grab current session's cookie with cURL

Curl can handle that for you; there is an option to store the cookies in a cookiejar and use those in subsequent requests.

Here is an example from the main curl site, which uses cookies from a file cookies.txt to set some and at the same time stores new cookies in newcookies.txt.

http://curl.haxx.se/docs/httpscripting.html#Cookie_Basics

curl --cookie cookies.txt --cookie-jar newcookies.txt  http://www.example.com

When going through a login process, for example, one would reuse the cookies from cookie jar.

bash curl with session cookies?

Check out the --cookie and --cookie-jar options on curl in the man page. They should do what you need.

How to stock my cookies from a curl request on a variable

I solve my problem by using regex on the request result. and use CURLOPT_COOKIE.

// Execute the request
$response = curl_exec($ch);
// Extract the cookie from the answer
preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $response, $matches);
$cookies = $matches[1][0];
// Extract the server response from the answer
preg_match_all('/text\/html\s*(.*)/m', $response, $matches);
$serverResponse = json_decode($matches[1][0]);

cURL -- cookies and sessions

To understand CURLOPT_COOKIESESSION, you need to know a couple of things about cookies. Cookies have expiration dates that are set by the website that issues the cookie. If an expiration date of a cookie has passed, the browser/client will not send it, and it will be deleted by the client. If a cookie is set with NO expiration date, the browser should use that cookie until the browser session is closed, or the user logs out and the cookie gets unset.

That said, CURLOPT_COOKIESESSION is a way to get cURL to simulate having closed the browser. If the COOKIEFILE has some session cookies in it (cookies with no expiration), it will normally send these if they were present in the file. If you set CURLOPT_COOKIESESSION, then it will NOT send any of the cookies that have no expiration date.

CURLOPT_COOKIE just gives you a means of setting the cookie data that will be sent to the server in raw format. This is useful if for example you have a raw HTTP cookie that you would like to send. Without this option, you would have to get those cookies into the COOKIEFILE, or set a custom HTTP header Cookie: with the raw value you had.

PHP - Using cURL to store cookie session into variable / memory

So it turns out I was actually doing this correctly and my assumptions were correct.

To keep the cookie session in a variable (vs. CURLOPT_COOKIEJAR). *Make sure you have CURLOPT_HEADER and CURLINFO_HEADER_OUT enabled.*
CURLOPT_FOLLOWLOCATION must be set to false. Otherwise your cookie won't send correctly (This is where CURLOPT_COOKIEJAR does best).

Use preg_match_all to extract cookies. Then use strpos to find the first occurence of "=". Some sites use encoding and include "="'s which won't work with "explode".

$data        = curl_exec($curl);
$header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
$header      = substr($data, 0, $header_size);

preg_match_all("/^Set-cookie: (.*?);/ism", $header, $cookies);
foreach( $cookies[1] as $cookie ){
    $buffer_explode = strpos($cookie, "=");
    $this->cookies[ substr($cookie,0,$buffer_explode) ] = substr($cookie,$buffer_explode+1);
}

When making your next curl call, re-call the cookie var/object into CURLOPT_COOKIE.

if( count($this->cookies) > 0 ){
    $cookieBuffer = array();
    foreach(  $this->cookies as $k=>$c ) $cookieBuffer[] = "$k=$c";
    curl_setopt($curl, CURLOPT_COOKIE, implode("; ",$cookieBuffer) );
}

This will allow you to keep the latest variable (i.e. changing sessions) intact.

Hope this helps anyone who bumps into this issue!