Why?

It’s not the client cookie, It’s the website’s cookie.

Just to be clear guys, What I showed was a different method. Like @ChrisPAR you can’t directly access using just CURL. So don’t get me wrong for posting things like this.

It does not because:

However, when Herbert did it, it worked, not sure how (and yes I did try to set the cookie).

Because he had the cookie there

That is why I said this:

I’ll try again in a few minutes or tomorrow (it is 8:59 PM currently and I have school tomorrow).
–EDIT–
I just tried it and it worked!

image988×450 21.9 KB

That’s correct, without the cookies JS won’t work.

You are using Herbert’s cookie! Go to dev tools > Application > Cookies and copy the value for __test.

A whole new solution would be to use headless chrome or Firefox. Maybe that would work. I’ve never used a headless browser before, though.

The whole conclusion for me is that this security system sucks.

Yeah, that works. Or just re-invent the cookie.

The cookie is not a static value. You can’t just copy it once and reuse it forever. That would make it way too easy to bypass the security system.

It sounds to me like it’s doing exactly what it’s intended to do.

Intended to prevent bots from accessing but some easy trick bypasses it.

How to see devtools on android?

I don’t have an Andriod so I wouldn’t be able to tell you with certainty that this works but here’s an article:

Alternatively, this is what Bing AI told me:

Hey Admin, The current cookie security mechanism is indeed preventing bots, but wouldn’t it be more efficient if you set the cookie value to reset for each request? This would improve the system. It’s just an idea, though!

It would unnecessarily slow down page load time + break media linked in it, it would still be bypassable by a bot which uses headless browser.

Yeah but it’ll add another security layer though. Why not using CAPTCHA? It’s very effective against bots.