Skip to content
authentication cookies tutorial

Screenshot Pages with Cookies

Pass session cookies through the screenshot API to capture authenticated pages without replaying login flows. Learn cookie string format, security boundaries, and how this pairs with custom headers.

Julien Sobrier Founder & CEO

Why cookies unlock authenticated screenshots

Websites authenticate users with cookies: opaque tokens, session IDs, or signed values the browser sends on every subsequent request. If your screenshot worker presents the same cookie set as a logged-in user, the server returns the same HTML, JSON-in-HTML, and client-side bootstrap code—so the rendered pixels match production.

This pattern is ideal when you already operate a trusted backend that can mint or refresh sessions (OAuth code exchange, SAML assertion consumer, or your own login API). You forward the resulting cookie header to ScreenshotCenter instead of storing passwords inside automation definitions.

Cookie string format and parameters

Most integrations accept a single string compatible with the Cookie request header: name=value pairs separated by ; . Attributes such as Path, Domain, Secure, and HttpOnly are normally set by the server when the browser stores cookies; when you manually construct a string for an API, you usually pass only the name=value segments the origin needs.

Multiple cookies look like:

session_id=abc123; csrf_token=xyz789; preferred_lang=en

URL-encode the full string if you pass it as a query parameter so reserved characters do not break the request. When using JSON bodies, embed the raw string and let the client library encode the payload.

Capturing authenticated pages without login flows

Skipping the login UI yields faster jobs and fewer flaky selectors. It also avoids CAPTCHAs and MFA prompts that block unattended runs. Typical workflow:

  1. Your backend authenticates the user or a service principal through your normal stack.
  2. You read the session cookies applicable to the target host (respecting Domain and Path rules).
  3. You call the screenshot API with those cookies plus the target URL.
  4. You optionally add Referer, User-Agent, or other headers to mirror a real browser fingerprint.

If the application issues rotating CSRF tokens per page, ensure your cookie jar includes the token cookie that matches the document you are about to render.

Pairing cookies with custom HTTP parameters

Some SPAs gate API calls on headers as well as cookies. The screenshot API can often send additional headers alongside the cookie string so XHR-style bootstraps succeed. Consult Screenshot HTTP parameters for the exact fields supported in your version—common ones include custom request headers, POST bodies for endpoints that require a form submission, and cache-busting query flags.

Security checklist

ConcernMitigation
Cookie leakage in logsStrip cookies from application logs; use short-lived tokens
Cross-domain confusionVerify the screenshot URL host matches cookie Domain rules
Over-privileged sessionsUse read-only or monitoring roles for automated captures
Stale sessionsRefresh cookies on 401/403 responses before retrying jobs

cURL example

curl -G "https://api.screenshotcenter.com/api/screenshot/create" \
  --data-urlencode "url=https://app.example.com/reports/quarterly" \
  --data-urlencode "key=YOUR_API_KEY" \
  --data-urlencode "cookies=auth_session=FE26.2**..."

JavaScript example

import { createScreenshot } from "./lib/screenshotcenter.js";

await createScreenshot({
  url: "https://app.example.com/reports/quarterly",
  cookies: ["auth_session=FE26.2**...", "csrf=known-good-token"].join("; "),
  delay: 800,
});

Tune delay when the app hydrates from an API after the initial HTML shell loads.

Subdomains, staging hosts, and cookie scope

A cookie scoped to app.example.com is not automatically sent to api.example.com unless the Domain attribute was deliberately broadened. When you capture staging, confirm you are not mixing production cookies into a non-production hostname—or the reverse. If marketing lives on www while the signed-in product lives on app, you may need separate jobs or a cookie string that satisfies the host you navigate to first.

Rotating sessions and scheduled captures

Hourly or nightly monitoring should refresh cookies on a cadence shorter than the nominal session TTL. Sliding windows and central revocation mean a jar that worked yesterday can fail silently today. Add a lightweight authenticated probe from your orchestrator before enqueueing an expensive screenshot: if the probe returns 401, run your login or token exchange path to mint a new cookie string, then retry. Log correlation IDs per tenant and environment so operations can tell a bad cookie apart from an API outage.

When multiple screenshots fire in parallel for the same user, ensure they do not race the same refresh token endpoint; serialize refreshes or use distinct service principals if your IdP rate-limits token grants.

When cookies are not enough

If the site binds sessions to IP ranges, device fingerprints, or WebSocket side channels, cookies alone may still show a login screen. In those cases combine cookies with automation steps or route through the same egress geography your users use.

Summary

Session cookies are the lowest-friction way to screenshot authenticated pages at scale—provided you treat them as secrets, align domains, and refresh them before expiry. For parameter reference and edge cases, keep Screenshot HTTP bookmarked next to your integration tests.