LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Which HTTP response header sets the session cookie in the browser, and what does the browser do with it afterwards?

The server sends Set-Cookie: session=<SID> in the response; the browser stores it and automatically returns it in a Cookie: header on every subsequent request to that site.

Browser POSTs credentials; server replies Set-Cookie; browser auto-sends Cookie on each later request.

* Set-Cookie once vs Cookie every request: the SID re-proves login over stateless HTTP. *

The flow:

  1. Browser POSTs credentials to /auth.
  2. Server validates them, creates a server-side session, and replies with Set-Cookie: session=<random-SID> (plus attributes like Expires, Path, HttpOnly).
  3. From then on the browser attaches Cookie: session=<SID> to every request to that origin — you don't write any code for this; it's built into the browser.

That automatic resending is exactly what re-proves "I'm logged in" on each stateless request.

Tip: Set-Cookie is a response header (server → browser, once); Cookie is a request header (browser → server, every time). Mixing them up is a classic exam slip.

Go deeper:

  • doc MDN: Set-Cookie header — the header's syntax plus the HttpOnly/Secure/Expires attributes that protect the SID.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026