Quiz Entry - updated: 2026.07.05
Which HTTP response header sets the session cookie in the browser, and what does the browser do with it afterwards?
The server sends Set-Cookie: session=<SID> in the response; the browser stores it and automatically returns it in a Cookie: header on every subsequent request to that site.
* Set-Cookie once vs Cookie every request: the SID re-proves login over stateless HTTP. *
The flow:
- Browser POSTs credentials to
/auth. - Server validates them, creates a server-side session, and replies with
Set-Cookie: session=<random-SID>(plus attributes likeExpires,Path,HttpOnly). - From then on the browser attaches
Cookie: session=<SID>to every request to that origin — you don't write any code for this; it's built into the browser.
That automatic resending is exactly what re-proves "I'm logged in" on each stateless request.
Tip: Set-Cookie is a response header (server → browser, once); Cookie is a request header (browser → server, every time). Mixing them up is a classic exam slip.
Go deeper:
MDN: Set-Cookie header — the header's syntax plus the HttpOnly/Secure/Expires attributes that protect the SID.