Cookie Jar

Cookie Jar

Curlex includes a persistent, RFC-compliant cookie jar. When an API response includes Set-Cookie headers, Curlex stores those cookies and automatically sends them back on subsequent requests to the same domain — exactly like a browser does.

This means you do not need to manually copy session tokens or CSRF cookies between requests. Log in once, and every subsequent request in the same session uses the cookies the server set.

How It Works

  1. You send a request and the server responds with Set-Cookie: session=abc123; Path=/; HttpOnly.
  2. Curlex stores the cookie in the jar, associated with the response domain.
  3. On your next request to the same domain, Curlex includes Cookie: session=abc123 in the request headers automatically.

The cookie jar respects cookie attributes: Domain, Path, Expires, HttpOnly, Secure, and SameSite.

Click Cookies in the status bar at the bottom of the window. The Cookie Manager opens in a panel showing all stored cookies, grouped by domain.

Managing Cookies

From the Cookie Manager you can:

  • View all cookies for every domain, with their full attributes.
  • Edit a cookie value directly.
  • Delete a single cookie.
  • Clear all cookies for a specific domain.

When to Use This

The cookie jar is most useful when:

  • Testing session-based APIs — log in via a POST request, and all subsequent requests automatically include the session cookie.
  • Testing CSRF-protected endpoints — the CSRF token cookie is stored after a GET request and included in subsequent POST/PUT/DELETE requests automatically.
  • Debugging cookie-related behaviour — use the Cookie Manager to inspect exactly what was set, when it expires, and whether HttpOnly or Secure flags are present.

If you want a request to ignore the cookie jar — for example, to test an unauthenticated endpoint while logged in — you can remove the relevant cookies in the Cookie Manager before sending, or clear the jar entirely.