Keeping curl cookies a secret
Edited: Sunday 2 February 2025

The solution

Passing cookies to curl without allowing other users on your system to see them via the process list:

1echo "--cookie sessionid=012345679abcdefghijklmnopqrstuvwxyz" | curl --config -

Why this works

This works because echo is generally a built-in of your shell:

 1# Using bash
 2$ type echo
 3echo is a builtin
 4
 5# Using sh
 6$ type echo
 7echo is a shell builtin
 8
 9# Using fish
10$ type echo
11echo is a builtin

Verifying

The correctness can be verified by first displaying all processes as they get created:

1# Run this in a second terminal as root
2$ forkstat | grep 'cookie\|curl'

If you now run the original snippet you’ll see curl show up but not your cookie. If you replace echo (the builtin) with /usr/bin/echo (a separate program) your cookie will show up. That’s why you need to be careful with that you put on the command line.


You're reached the end of this page.