Correct Cookie File Format for Curl

This article explains the correct format for a cookie file read by the curl command-line tool. It details the legacy Netscape/Mozilla cookie file format required by curl, breaks down the seven tab-separated fields that make up each line, and provides a practical example of how to structure and use these files.

To read cookies from a file, curl requires the legacy Netscape cookie file format. This is a plain text format where each line represents a single cookie, and the fields within each line are separated by a horizontal tab character (\t). Spaces will cause parsing errors.

Lines beginning with # are treated as comments and ignored by curl, with one exception: HTTP-only cookies are prefixed with #HttpOnly_.

The Seven-Column Structure

Every active cookie line must contain exactly seven columns in the following order:

  1. Domain (string): The domain that created and can read the cookie (e.g., .example.com). Starting the domain with a dot makes it valid for all subdomains.
  2. Include Subdomains (boolean): Must be TRUE or FALSE. Specifies whether all machines within the domain can access the cookie. If the domain starts with a dot, this is typically TRUE.
  3. Path (string): The path on the domain for which the cookie is valid (usually /).
  4. Secure (boolean): Must be TRUE or FALSE. Indicates whether a secure connection (HTTPS) is required to transmit the cookie.
  5. Expiration (integer): The UNIX epoch timestamp (in seconds) representing when the cookie expires (e.g., 1824192000). For session cookies that expire when the browser closes, use 0.
  6. Name (string): The name of the cookie.
  7. Value (string): The value of the cookie.

Below is an example of a properly formatted cookie file. Ensure you use actual tabs to separate the fields if you copy this template:

# Netscape HTTP Cookie File
# This is a comment line
.example.com    TRUE    /   TRUE    1824192000  session_id  xyz123abc
www.example.com FALSE   /account    FALSE   0   user_preference dark_mode
#HttpOnly_.example.com  TRUE    /   TRUE    1824192000  secure_token    secret987

Note: The third cookie in the example uses the #HttpOnly_ prefix, which tells curl that the cookie should not be accessible via client-side scripts.

To pass this cookie file to curl for a request, use the -b (or --cookie) option followed by the path to the file:

curl -b cookies.txt https://www.example.com

If you want to perform a request, accept new cookies from the server, and write them back to the file in the correct format, use the -c (or --cookie-jar) option:

curl -b cookies.txt -c cookies.txt https://www.example.com