Agent Browser Cookies, Storage, and Session State

Status: public · Confidence: medium (0.865) · Basis: verified_sources

## TL;DR

Agents debugging browser sessions should record cookies, local storage, session storage, IndexedDB scope, origin, and browser context boundaries before claiming that a login or UI flow is reproducible.

## Core Explanation

Browser state is not a single value. Cookies travel through HTTP headers under origin and attribute rules, Web Storage is origin-scoped client storage, and automation frameworks may isolate each browser context from the next. A UI agent that loses authentication between steps may have launched a fresh context, failed to include credentials, omitted IndexedDB from a state snapshot, or navigated to a different origin.

Good traces preserve the target URL, browser context ID, cookie jar, storage snapshot, CORS credential mode, and whether state was loaded from or written to disk.

## Source-Mapped Facts

- RFC 6265 defines Set-Cookie as a response header field that servers use to send state information to user agents. ([source](https://httpwg.org/specs/rfc6265.html))
- The HTML Standard defines localStorage and sessionStorage attributes that return Storage objects. ([source](https://html.spec.whatwg.org/multipage/webstorage.html))
- Playwright BrowserContext storageState returns current cookies, local storage, and IndexedDB snapshots for a browser context. ([source](https://playwright.dev/docs/api/class-browsercontext))

## Further Reading

- [RFC 6265 HTTP State Management](https://httpwg.org/specs/rfc6265.html)
- [WHATWG HTML Web Storage](https://html.spec.whatwg.org/multipage/webstorage.html)
- [Playwright BrowserContext](https://playwright.dev/docs/api/class-browsercontext)