-
Notifications
You must be signed in to change notification settings - Fork 0
Cookie Authentication
Some sites require the user to be logged in to access content. yt-dlp handles this via a Netscape-format cookies file passed with the --cookies option.
yt-dlp expects a plain text file where each line represents one cookie:
# Netscape HTTP Cookie File
<domain> <includeSubDomains> <path> <secure> <expiry> <name> <value>
Fields are separated by tabs. Example:
# Netscape HTTP Cookie File
.example.com TRUE / TRUE 0 sessionid abc123xyz
.example.com TRUE / TRUE 0 csrftoken def456uvw
The easiest method if your users can log in on a desktop browser:
- Install a browser extension that exports cookies in Netscape format (e.g. "Get cookies.txt LOCALLY" for Chrome/Firefox)
- Export cookies for the target site
- Transfer the
.txtfile to the device - Pass it to the request:
YtDlpRequest request = new YtDlpRequest(url)
.addOption("--cookies", "/sdcard/Download/cookies.txt")
.setOutputTemplate(outputPath);If your app has a WebView where the user logs in, Android's CookieManager gives you access to the session cookies.
WebView webView = new WebView(context);
webView.getSettings().setJavaScriptEnabled(true);
webView.setWebViewClient(new WebViewClient() {
@Override
public void onPageFinished(WebView view, String url) {
// Detect successful login by URL change
if (url.contains("example.com") && !url.contains("/login")) {
onLoginSuccess();
}
}
});
webView.loadUrl("https://www.example.com/login");import android.webkit.CookieManager;
import java.io.*;
public static File exportCookiesToFile(Context context, String domain)
throws IOException {
CookieManager cm = CookieManager.getInstance();
String rawCookies = cm.getCookie("https://" + domain);
if (rawCookies == null || rawCookies.isEmpty()) {
throw new IOException("No cookies found for " + domain +
" — is the user logged in?");
}
File cookieFile = new File(context.getFilesDir(), "cookies_" + domain + ".txt");
StringBuilder sb = new StringBuilder("# Netscape HTTP Cookie File\n");
for (String pair : rawCookies.split(";")) {
pair = pair.trim();
int eq = pair.indexOf('=');
if (eq < 0) continue;
String name = pair.substring(0, eq).trim();
String value = pair.substring(eq + 1).trim();
// <domain> <subDomains> <path> <secure> <expiry> <name> <value>
sb.append(".").append(domain).append("\tTRUE\t/\tTRUE\t0\t")
.append(name).append("\t").append(value).append("\n");
}
try (FileWriter fw = new FileWriter(cookieFile)) {
fw.write(sb.toString());
}
return cookieFile;
}File cookiesFile = exportCookiesToFile(context, "example.com");
YtDlpRequest request = new YtDlpRequest(videoUrl)
.addOption("--cookies", cookiesFile.getAbsolutePath())
.setOutputTemplate(outputPath);
YtDlp.executeAsync(request, progressCallback);Cookie files contain session tokens — treat them like passwords:
// Delete after the download completes
cookiesFile.delete();- Cookie expiry — Session cookies have a limited lifespan. If a download fails with a 401 or 403 error after a period of inactivity, the user needs to log in again and new cookies must be exported.
-
Security — Never log cookie file contents. Store cookie files in the app's private internal storage (
context.getFilesDir()), which is inaccessible without root. - Pro version — The Pro version (curl-cffi) eliminates the need for cookies on sites that use TLS fingerprinting by impersonating a real browser at the network level.
No cookies found → The user is not logged in to the site in your WebView, or the domain name doesn't match exactly.
403 error even with cookies → The cookies have expired or the site requires additional headers. Try adding:
request.addOption("--add-header", "Referer:https://www.example.com/");The extractor is attempting impersonation → Cookies alone are not enough for this site — it requires TLS fingerprint impersonation. Use the Pro version.