When Twilio makes a request to your SMS Webhook URL and your web application server returns a cookie (a "Set-Cookie" HTTP response header), Twilio stores this cookie and associates it with the "From" and "To" number pair of the incoming SMS message.
Twilio will include the cookie that you set (as a "Cookie" HTTP request header) for subsequent requests to your web server associated with the same "From" and "To" phone number pair.
Please note that this behaviour applies to SMS Webhooks for incoming messages and may not reflect the behaviour of Webhooks associated with other Twilio Products.
There are some limitations to Twilio cookies:
- If you do not set an expiration on the cookie, the cookie will expire after 4 hours. This means if an incoming SMS message arrives 4 hours after the cookie was set, the expired cookie will not be included with the request.
- If you want a cookie to expire earlier than 4 hours, you can specify a different expiration with the "Expires" or "Max-Age" attribute on the cookie. Longer expirations may be capped to 4 hours.
- Cookies cannot be set on outgoing API calls and SMS messages. Twilio only accepts cookies when the outgoing proxy server makes a request to your server. It cannot accept cookies when you make a request to api.twilio.com.
- The cookie is keyed by "From" and "To" phone numbers. This information may not be sufficient to distinguish a conversation for your use case. A cookie you set in response to one From-To pair will not be returned in webhooks related to a different From-To pair.
- Cookies are not included in the signature algorithm used to verify that requests originate from Twilio. In order to avoid the possibility of a replay attack, cookies may only be trusted when sent to HTTPS addresses.