A bearer cookie is a session cookie that authenticates anyone who presents it. The server assumes the holder is the legitimate user until the cookie expires, is rotated, or is revoked. This makes it a classic bearer token: possession is enough.
Bearer cookies matter because they are easy to steal and reuse. Attackers often extract them with malware, browser injection, phishing, or insecure device access, then replay them from another system to hijack an active session without knowing the password. Defenders reduce this risk with short session lifetimes, secure storage, HTTPS, revocation controls, multi-factor authentication, and device-bound session schemes that make copied cookies less useful off-device. In practice, a bearer cookie is convenient for web apps, but its security depends on protecting the token itself and limiting how long it remains valid.