With the revised question, a new answer:
The documentation property HttpBrowserCapabilitiesBase.Cookies
says:
This property does not indicate whether cookies are currently enabled in the browser, only whether the browser can support cookies.
It appears to be set based on detection of the user's browser and the browser capability database on the server. So it will reliably tell you if the browser is capable of storing cookies if and only if:
- The request's user agent string is correct.
- The browser is in the database and the database is correct for the browser.
Condition #1 would be broken if the user agent HTTP header was changed (eg. by developer tools or a proxy). Condition #2 would be broken if the browser is newer than the database, or there is a defect in the database.
tl;dr version: there is no guarantee, treat this information as "best effort". And of course the user could have disabled cookies (eg. "in private" browsing mode).
Original answer to a different question:
If you want to rely on the cookies you send in a response always coming back exactly the same, then the answer is: usually, but don't rely on this.
Possible reasons:
- Non-HTTP only cookies can be modified by client side script (and that script could be injected locally).
- A browser bug.
- Using a non-browser to make request (eg.
wget.exe
) that doesn't handle cookies for the user.
- A proxy that modifies the request or response.
- Local clock on client system modified to cause cookie expiration.
- User modifying the cookie store of the browser.