Cookies in Django – Setting, retrieving and deleting cookies

HTTP is a stateless protocol so when a request is sent to the server, it does not know whether you are requesting the page for the first time or you are the same user who has visited this page many times before.

This HTTP statelessness was a problem for ecommerce website developers because persistence among requests could be used to recommend products or display products in a shopping cart. To appease this necessity, the cookie was introduced.

A cookie is a small piece of data stored in the user’s browser which is sent by the server. They are commonly used to store user preferences.

This is how cookies work, in general:

  1. The browser sends the request to the server.
  2. The server sends the response along with one or more cookies to the browser.
  3. The browser saves the cookie it received from the server. From now on, the browser will send this cookie to the server every time any request is made to the server until the cookie expires.
  4. When the cookie expires, it is removed from the browser.

Working With Cookies

The Django HttpResponse object has a set_cookie() method.

A syntax of:

set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None) :
  1. name: Name of the cookie.
  2. value: Value you want to store in the cookie. You can set int or string but it will return string.
  3. max_age: Should be a number of seconds, or None (default) if the cookie should last only as long as the client’s browser session. If expires is not specified, it will be calculated.
  4. expires: Should either be a string in the format "Wdy, DD-Mon-YY HH:MM:SS GMT" or a datetime.datetime object in UTC. If expires is a datetime object, the max_age will be calculated.

Check the complete method definition in the Django docs.

Every Django request object has a COOKIES attribute which is a dictionary. We can use COOKIESto read a cookie value like below, which returns a string even though you set an integer value:


Let’s take an example.

Create a view in your as below:

def test_cookie(request):   
if not request.COOKIES.get('team'):
response = HttpResponse("Visiting for the first time.")
response.set_cookie('team', 'barcelona')
return response
return HttpResponse("Your favorite team is {}".format(request.COOKIES['team']))

Now, add the URL for this view in

urlpatterns = [
path('test_cookie/', views.test_cookie, name='test_cookie'),

When you browse for the first time, it sends the cookie team along with the response and the browser stores it. Here, we did not set max_age so the browser will delete the cookie when the browser is closed.

When cookies are set in the browser with test_cookie or any other requests, each subsequent request to any other pages of, will send all the cookies to the server.

HttpResponse does not include any cookies unless you do set_cookie().

To view the cookies sent by the server in Google Chrome, hit CTRL+Shift+J, this will open the Developer Console.

Delete or update a cookie

To delete a cookie, simply call response.delete_cookie(‘cookie_name’). There is no cookie update method in HttpResponse, use set_cookie() to update the cookie value or expiry time.

Keep this in mind when using cookies

  1. Never ever use cookies to store sensitive data like passwords. Cookies store data in plain text, as a result, anybody can read/modify them.
  2. Most browsers don’t allow cookies to store more than 4KB of data (i.e. 4KB for each cookie). Further, most browsers accept no more than 30 cookies per website. Actually, the exact number of cookies per website varies from browser to browser, visit Browser Cookie Limits for more details.
  3. Recall that once the cookie is set in the browser, it will be sent along with each request to the server. Let’s say we have added 20 cookies each of size 4KB, that works out to be 80KB. That means that, with every request to the server, the browser would need to send 80KB of additional data with every request!
  4. Users can delete the cookies at their will. The user can even configure their browsers to not accept cookies at all.

Leave a Reply

Your email address will not be published. Required fields are marked *