Getting Past 403 Forbidden Errors by Enabling Cookies with Python Requests

Apr 2, 2024 ยท 3 min read

Encountering 403 Forbidden errors when making requests with the Python Requests library can be frustrating. This article will explain what causes these errors, and how you can resolve them by properly configuring cookies.

What Triggers a 403 Forbidden Error?

A 403 Forbidden client error status response code indicates that the server understands the request but refuses to authorize it. There are a few common triggers for 403 errors:

  • Missing or invalid authentication - The server is refusing access because the client has not been authenticated or provided invalid login credentials.
  • IP address not allowed - The server has blacklisted the client's IP address.
  • Too many requests - The client has sent too many requests too quickly and has been rate limited.
  • Invalid CSRF token - The client did not provide a valid cross-site request forgery prevention token.
  • Out of these common cases, issues with authentication and CSRF tokens most commonly lead to 403 errors with Requests.

    Why Do Cookies Matter for Authentication?

    Many login mechanisms rely on cookies to store session tokens and authenticate requests. Here is a simplified overview:

    1. Client sends login credentials to server
    2. Server verifies credentials and creates a session
    3. Server sets a session cookie with a token on the client
    4. Client sends authenticated requests with the cookie
    5. Server validates the session token from the cookie

    If cookies are disabled, the client cannot maintain the authenticated session, leading to 403 errors on subsequent requests.

    Enabling Cookies with Requests

    By default, the Python Requests library will send cookies from the client to the server, but will not save cookies set by the server locally.

    To allow cookie persistence on the client, we need to create a Requests Session object and enable cookies:

    import requests
    session = requests.Session()

    Now any cookies set by the server will be stored in the session.cookies object and automatically sent with future requests from this session.

    Practical Example with Login

    Here is some sample code that logs into a fictional site, stores the authentication cookie, and then accesses a protected resource, avoiding a 403 error:

    import requests
    session = requests.Session()
    # Log in and store session cookie
    resp ="", data={"username": "foo", "password": "bar"})
    # Session cookie handles authentication
    resp = session.get("") 

    So by creating a persistent Session and enabling cookies, we can login once and access authenticated resources without further credentials.

    Other Approaches to Avoiding 403 Errors

    While cookies are commonly part of authentication schemes, some APIs use token-based authentication instead of sessions:

  • The client passes a username/password to get an API token
  • This token is then sent in an Authorization header on future requests
  • For these APIs, enabling cookies may not be necessary to avoid 403 errors if you have a valid API token.

    Key Takeaways

  • 403 Forbidden errors commonly occur due to authentication issues with Requests
  • Cookies are often used by web apps for session management and authentication
  • Creating a persistent Session and enabling cookies allows the client to store and send authentication cookies
  • For token-based APIs, cookies may not be strictly required to avoid 403 errors
  • By understanding the role of cookies in authentication and properly configuring the Requests library, you can resolve frustrating 403 issues when interacting with web APIs and services.

    Browse by language:

    The easiest way to do Web Scraping

    Get HTML from any page with a simple API call. We handle proxy rotation, browser identities, automatic retries, CAPTCHAs, JavaScript rendering, etc automatically for you

    Try ProxiesAPI for free

    curl ""

    <!doctype html>
        <title>Example Domain</title>
        <meta charset="utf-8" />
        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />


    Don't leave just yet!

    Enter your email below to claim your free API key: