Working with Cookies

A cookie is a small piece of data your Flask app stores in the visitor's browser and reads back on later requests.

Learn Working with Cookies in our free Flask course — a beginner-friendly interactive lesson with worked examples, a practice exercise and a quick reference.

Part of the free Flask course at LearnCodingFast — hands-on lessons with examples you run in your browser, plus practice exercises and a quick quiz.

In this lesson you'll set cookies on a response, read them from the request, control their lifetime and security flags, delete them, and learn when to reach for sessions instead.

Cookies are attached to a response , so first build one with make_response(...) , then call set_cookie("name", "value") on it. Flask adds a Set-Cookie header, and the browser stores it.

The test client behaves like a browser: it captures the Set-Cookie header and sends the cookie back on later requests. The example checks the header so you can see exactly what was sent.

On the next request, the cookie arrives in request.cookies . Read it with request.cookies.get("name", default) — the default protects first-time visitors who don't have the cookie yet.

Because the test client remembers cookies across calls, the example below sets the cookie on one request and reads it on the next, exactly like a real browsing session.

The first visit shows the light default; after the cookie is set, the second visit reads dark — the browser sent it back automatically.

By default a cookie disappears when the browser closes. Pass max_age (seconds) or expires (a datetime) to make it persist. Add security flags for anything sensitive: httponly=True (hidden from JavaScript), secure=True (HTTPS only), and samesite="Lax" (limits cross-site sending).

To remove a cookie, call delete_cookie("name") on a response — it sends an expired Set-Cookie so the browser drops it.

Rule of thumb: non-sensitive preference → cookie. Anything a user shouldn't be able to forge → session.

Complete the routes so one sets a lang cookie and the other reads it. Replace each ___ .

A view that returns "hi" has no set_cookie method. Wrap it: resp = make_response("hi"); resp.set_cookie(...) and return resp .

Plain cookies are readable and editable by the user. Never store user IDs you trust, passwords, or roles in one — use a signed session instead.

Use a cookie to count how many times this browser has visited.

Lesson complete — you can remember your visitors!

You can set cookies on a response, read them from request.cookies , control lifetime and security flags, delete cookies, and choose sessions when data must be tamper-proof.

🚀 Up next: Handling File Uploads — accept files from users safely.

Practice quiz

How do you attach a cookie to a Flask response?

  • return set_cookie('k', 'v')
  • request.set_cookie('k', 'v')
  • resp.set_cookie('k', 'v') on a make_response object
  • flask.cookie('k', 'v')

Answer: resp.set_cookie('k', 'v') on a make_response object. Build a response with make_response(...) then call resp.set_cookie('k', 'v').

How do you read a cookie named 'theme' in a view?

  • request.cookies.get('theme')
  • request.get_cookie('theme')
  • theme

Answer: request.cookies.get('theme'). Incoming cookies live in request.cookies, a dict-like object; use .get for a safe default.

Why must you use make_response before set_cookie?

  • It encrypts the value
  • A plain string return has no set_cookie method
  • It is required by HTTP
  • It sets the SECRET_KEY

Answer: A plain string return has no set_cookie method. set_cookie is a method on a response object, so you need a real response, not a bare string.

Which argument sets how long a cookie persists, in seconds?

  • lifetime
  • timeout
  • duration
  • max_age

Answer: max_age. max_age takes a number of seconds; expires takes a datetime instead.

What does request.cookies.get('x', 'y') return when cookie 'x' is missing?

  • 'y'
  • None
  • an empty string
  • it raises KeyError

Answer: 'y'. The second argument is the default returned when the key is absent.

Which flag hides a cookie from client-side JavaScript?

  • secure=True
  • samesite='Strict'
  • httponly=True
  • signed=True

Answer: httponly=True. httponly=True blocks document.cookie access, reducing XSS theft.

What does secure=True do for a cookie?

  • Signs the cookie
  • Only sends it over HTTPS
  • Encrypts the value
  • Makes it permanent

Answer: Only sends it over HTTPS. secure=True tells the browser to send the cookie only on HTTPS connections.

How do you remove a cookie from the browser?

  • resp.delete_cookie('name')
  • request.cookies.pop('name')
  • resp.set_cookie('name', None)
  • name

Answer: resp.delete_cookie('name'). delete_cookie sends an expired Set-Cookie so the browser drops it.

Cookie values are stored in the browser as what type?

  • integers
  • JSON objects
  • strings
  • bytes

Answer: strings. Cookies are text, so numbers must be converted with int(...)/str(...).

For tamper-proof login state you should use what instead of a plain cookie?

  • a longer cookie
  • a Flask session
  • a query string
  • request.args

Answer: a Flask session. Sessions are signed (and need SECRET_KEY), so users cannot forge their contents.