Skip to main content
LiteClient includes a built-in cookie jar that automatically manages cookies for your API requests. Cookies are sent based on domain matching, persisted across VS Code sessions, and can be managed through a dedicated interface. LiteClient automatically handles cookies without manual configuration:
1

Server Sets Cookies

When a server sends a Set-Cookie header in the response, LiteClient automatically stores it in the cookie jar.
2

Cookies Sent Automatically

On subsequent requests to the same domain, LiteClient automatically includes relevant cookies in the request headers.
3

Domain and Path Matching

Cookies are sent only to matching domains and paths based on the cookie’s domain and path attributes.
4

Expiration Handling

Expired cookies are automatically removed from the jar and not sent with requests.
Cookie management is fully automatic. You don’t need to manually copy cookies or configure cookie headers.

Viewing Cookies

View cookies in two places:
After sending a request, view cookies set by the server in the Cookies tab of the response panel:Each cookie displays with:
  • Name - Cookie identifier
  • Value - Cookie content
  • Domain - Cookie scope (e.g., .example.com)
  • Path - URL path scope (e.g., /, /api)
  • Expires - Expiration date and time
  • HttpOnly - Whether JavaScript can access the cookie
  • Secure - Whether the cookie requires HTTPS
Cookies are automatically saved and loaded across VS Code sessions:
  • Automatic Save - Cookies are saved to disk immediately when received
  • Session Persistence - Cookies persist when you close and reopen VS Code
  • Storage Location - Cookies are stored in cookies.json in your storage directory
  • Per-Scope Storage - Global and workspace storage maintain separate cookie jars
Session cookies (cookies without an expiration date) are persisted across VS Code sessions, unlike browser behavior where session cookies are cleared when the browser closes.
LiteClient respects standard cookie attributes:

Domain Attribute

Controls which domains receive the cookie:
  • Exact domain - domain=api.example.com matches only api.example.com
  • Subdomain wildcard - domain=.example.com matches api.example.com, www.example.com, etc.
  • No domain - Cookie is sent only to the exact origin that set it

Path Attribute

Controls which URL paths receive the cookie:
  • path=/ - Cookie sent to all paths
  • path=/api - Cookie sent only to /api and its subpaths like /api/users
  • path=/api/v1 - Cookie sent only to /api/v1 and deeper paths

Secure Flag

When Secure is set:
  • Cookie is sent only over HTTPS connections
  • HTTP requests do not receive the cookie
  • Prevents cookie interception over insecure connections
Secure cookies are not sent to http:// URLs. Use HTTPS in your request URLs to receive secure cookies.

HttpOnly Flag

When HttpOnly is set:
  • Cookie cannot be accessed by JavaScript
  • Protects against XSS attacks
  • Automatically respected by LiteClient (no JavaScript access in scripts)

Expires / Max-Age

Controls cookie lifetime:
  • Expires - Absolute expiration date (Expires=Wed, 21 Oct 2026 07:28:00 GMT)
  • Max-Age - Relative expiration in seconds (Max-Age=3600 for 1 hour)
  • No expiration - Session cookie (deleted when browser closes, but persisted by LiteClient)
LiteClient uses the tough-cookie library for RFC 6265-compliant cookie handling.

Managing Cookies

Delete Individual Cookies

Remove specific cookies from the jar:
1

Open Cookie Manager

Run LiteClient: Manage Cookies from the Command Palette.
2

Find the Cookie

Expand the domain group to find the cookie you want to delete.
3

Delete

Click the delete icon next to the cookie to remove it from the jar.

Delete Domain Cookies

Remove all cookies for a specific domain:
1

Open Cookie Manager

Run LiteClient: Manage Cookies from the Command Palette.
2

Select Domain

Find the domain whose cookies you want to delete.
3

Delete All

Click the delete icon next to the domain to remove all cookies for that domain.
Deleting domain cookies is useful when you want to clear session state for a specific API without affecting other domains.

Clear All Cookies

Remove all cookies from the jar:
Run LiteClient: Clear Cookie Jar from the Command Palette to delete all cookies immediately.
Clearing all cookies is permanent and cannot be undone. You’ll need to re-authenticate with any APIs that rely on cookie-based sessions.
Many APIs use cookies for session management:

Login Flow Example

1

Send Login Request

Send a POST request to the login endpoint with credentials:
{
  "username": "[email protected]",
  "password": "secret"
}
2

Server Sets Session Cookie

The server responds with a Set-Cookie header:
Set-Cookie: session=abc123; Path=/; HttpOnly; Secure
3

Cookie Stored Automatically

LiteClient stores the session cookie in the cookie jar.
4

Subsequent Requests

All future requests to the same domain automatically include the session cookie:
Cookie: session=abc123
5

Authenticated Access

The server recognizes the session and grants access to protected resources.
You don’t need to manually copy or set cookies. LiteClient handles the entire cookie lifecycle automatically.
Cookies are stored according to your active storage scope:
When using global storage (default):
  • Cookies are stored in VS Code’s global storage
  • Available across all workspaces
  • Private to your machine
  • Not shared via Git
Be careful when committing workspace storage to Git. The cookies.json file may contain sensitive session tokens. Consider adding it to .gitignore.
If a cookie isn’t being sent with requests:
  1. Check domain matching - Verify the request URL matches the cookie’s domain
  2. Check path matching - Ensure the request path matches the cookie’s path
  3. Check expiration - Verify the cookie hasn’t expired
  4. Check Secure flag - Use HTTPS if the cookie has the Secure flag
  5. Review cookie jar - Open the Cookie Manager to verify the cookie is stored
If a cookie isn’t appearing in the jar:
  1. Check response headers - Verify the server sent a Set-Cookie header
  2. Check cookie format - Ensure the Set-Cookie header is valid
  3. Check domain attribute - Verify the domain matches the request origin
  4. Review response - Look for cookie-related errors in the response
Use the Response Headers tab to view the exact Set-Cookie header sent by the server. This helps diagnose why a cookie might not be stored.

Best Practices

Always use HTTPS when working with authentication cookies. This prevents cookie interception and ensures Secure cookies are sent.
When testing with multiple user accounts, clear cookies between tests to avoid session conflicts.
Open the Cookie Manager regularly to review stored cookies and delete expired or unnecessary entries.
Use global storage for personal testing and workspace storage for team-shared test sessions (with caution).