How To Read Cookie Value In POSTMAN (REST API Client) For Request Chaining

Screen Shot 2015-06-01 at 9.51.30 pm

In postman, writing and executing automated tests are possible with the launch of Jetpacks, you can write your basic API tests in JavaScript. Use of JavaScript gives you the power and freedom of writing any test scenario for automation testing.

However, there is a limitation where you can not read the Cookie value from response headers but here is a good news – POSTMAN has recently released a new version, which allows you to read cookies from within your Test Editor programmatically.

You can now write test scripts to read the cookie value and set them as Environment (or Global) Variable to use them in subsequent API calls (or Request Chaining).

Read Cookie Value In POSTMAN


1. We need to send a request to ‘UserInfo‘ Web API to receive user details but we can not send request directly.

2. We need to send a ‘login’ request (with valid credentials) to receive a token as a cookie value and then set it as an ‘environment variable’.

3. Finally, we will use the ‘environment variable’  in ‘request’ header to send an authorized request to ‘Userinfo’ Web API.

Let’s Begin

1. Send the ‘login request’ with the valid credentials, to receive the token in cookie  as shown in the snapshot below:

POSTMAN - Sending request to Login API

2.  As you can see in screenshot above, highlighted text is XID cookie we have received, this is our token which we need to read programmatically (using JavaScript) from test editor and set it as Environment variable, as shown in the snapshot below:

Postman -  Read Cookie from request request headers (Writing Tests in Test Editor)

Postman does not handle cookies as part of response headers, instead postman receives cookies from chrome (using interceptor plugin), to read the cookies received from response, postman has provided us the following method: postman.getResponseCookie(“Cookie-name”).value

Line 1:  token1 is declared as a new variable which is used to save value from ‘getResponseCookie(“cookie name”).value’ method to read the ‘xid’ cookie value.

Line 2: As you can see it in screenshot 1, value of ‘xid’ cookie is received in two lines which adds a new line character “<br/>” in our cookie value, we need to get rid of this to receive the correct cookie value, therefore we are using the JavaScript replace function to find the new line character from the string and replace it with empty character “”.

Line 3: We are using the method provided by the postman, to set the token2 variable which now contains the correct cookie value and set it as “EnvironmentVariable” with the name, X-CSRF-TOKEN, we can use this as our variable {{X-CSRF-TOKEN}} in other requests.

3. After writing that script in test editor, don’t forget to save it.

4. Now go to POSTMAN -> Manage Environment -> Pentest Environment -> Edit and add X-CSRF-TOKEN as variable & {{X-CSRF-TOKEN}} as value, as shown below:

Postman - Management Environments5. Go to ‘userinfo’ web api -> click on headers -> open and add X-CSRF-TOKEN as variable & {{X-CSRF-TOKEN}} as value, as shown below:

POSTMAN - Adding Headers in a Web API6. Go to ‘login’ web API, send the request and you will get the response, script will be executed and you will have X-CSRF-TOKEN set as ‘environment’ variable, to confirm run the ‘userinfo’ web API and you will get the response just like an authenticated request would get, as shown in the snapshot below:

POSTMAN - successful response recieved

You can use this for request chaining and running a suite of Web API’s to test a specific scenario.

Welcome To My Blog – Ishan Girdhar

Hello, and welcome to my blog!

I’m Ishan Girdhar, a security architect specializing in web and mobile application security predominately using the open source tools.


I’ve spent the last few years working in closely with the agile environments building applications of all sizes for diverse clients which has given me exposure to a number of technologies, techniques, ways of working, and of course, many lessons learnt.


Through this blog, I hope to communicate my knowledge and learning’s with the community, both from past and going forward, my thoughts and other random epiphanies.

Reach out

Please feel free to leave comments and/or contact me with questions and comments.