Good news, everyone!
When a user clicks the link, his browser voluntarily send to the server all the cookies tied to that domain. No special action for "pumping" won't have to do. How to get cookies on the server - depends on your server language. Example for php
, for python
And more good news - usually cookies are not encrypted and transmitted in clear text.
However, there is a fly in the ointment - he does not send all cookies that are on this computer, but only those that are tied to the current domain.
More for beginners: https://ru.wikipedia.org/wiki/HTTP_cookie
More details in RFC, the wiki has the links.
And in order to install a Keylogger need to use some vulnerability in the user's browser, allowing execution of arbitrary code. Such vulnerability is not so rare to find, but they fairly quickly closed. Google zero-day browser exploit
or something like that.