HTTP Cookie Parser — Parse, Decode & Build Cookie Strings

About Cookie Parser

The Cookie Parser helps web developers work with HTTP cookies and Set-Cookie headers. It parses both browser cookie strings (multiple name=value pairs) and Set-Cookie header format (one cookie with Path, Domain, Expires, Secure, HttpOnly, SameSite, etc.), decodes values, and lets you build valid Set-Cookie strings. All processing runs in your browser—no server, no storage.

How to Parse Cookies

Paste your cookie string into the input box. The tool auto-detects the format:

• Browser cookie string — e.g. sessionId=abc123; theme=dark; csrftoken=xyz. Each name=value pair is one cookie.
• Set-Cookie header — e.g. sessionId=abc123; Path=/; Secure; HttpOnly; SameSite=Lax. The first pair is the cookie name and value; the rest are attributes (Path, Domain, Expires, Max-Age, Secure, HttpOnly, SameSite).

Values are URL-decoded automatically (e.g. user=John%20Doe → John Doe). If a value is valid JSON, a “Show JSON” preview is available.

Cookie Attributes Explained

• Domain — Which host(s) can receive the cookie (e.g. .example.com).
• Path — URL path that must be in the request to send the cookie (e.g. / or /api).
• Expires — Absolute expiration date in GMT (e.g. Wed, 21 Oct 2025 07:28:00 GMT).
• Max-Age — Lifetime in seconds from when the cookie is set. Takes precedence over Expires if both are present.
• Secure — Cookie is sent only over HTTPS.
• HttpOnly — Cookie is not accessible from JavaScript (helps prevent XSS).
• SameSite — Strict (never cross-site), Lax (top-level navigation only), or None (always; requires Secure).
• Priority — Chrome-only: High, Medium, or Low for storage eviction.
• Partitioned — CHIPS: cookie is partitioned by top-level site.

Example Cookie Strings

Multiple cookies (browser format):

sessionId=abc123; theme=dark; csrftoken=xyz

Single Set-Cookie header:

sessionId=abc123; Path=/; Max-Age=3600; Secure; HttpOnly; SameSite=Lax

What is a Set-Cookie Header

Set-Cookie is an HTTP response header sent by the server to create or update a cookie in the browser. It contains the cookie name and value plus optional attributes (Path, Domain, Expires, Max-Age, Secure, HttpOnly, SameSite). The browser stores the cookie and sends it back with future requests that match the Domain and Path. This tool parses Set-Cookie strings and can generate them for use in your backend or API responses.

Cookie Parser Use Cases

• Parsing cookies from browser dev tools or network tabs
• Creating Set-Cookie headers for API responses
• Understanding cookie attributes and security
• Debugging cookie-related issues
• Testing cookie behavior
• Exporting cookie data as JSON, CSV, or cookie file

How Developers Debug Cookies

Developers use this cookie parser to inspect cookies from the Application tab (Chrome) or Storage tab (Firefox), or from the Cookie request/response headers in the Network panel. Paste the cookie string or a Set-Cookie header, then use the statistics panel to see counts (Secure, HttpOnly, SameSite), search and sort the table, and copy individual Set-Cookie headers for replay or debugging. Validation warnings highlight common issues like SameSite=None without Secure or invalid Expires format.

Browser Cookie vs Set-Cookie Header

Browser cookie string (e.g. from document.cookie or dev tools) contains multiple cookies as name=value; name2=value2. There are no attributes like Path or Domain—those are stored by the browser separately. Set-Cookie header is what the server sends in an HTTP response: one cookie per header, with optional attributes (Path=, Domain=, Expires=, Max-Age=, Secure, HttpOnly, SameSite=). This tool detects the format automatically and parses accordingly.

Common Cookie Mistakes

• SameSite=None without Secure — Browsers reject cookies with SameSite=None unless the Secure flag is set.
• Spaces in cookie names — Cookie names should not contain spaces or special characters.
• Invalid Expires format — Use GMT format, e.g. Wed, 21 Oct 2025 07:28:00 GMT.
• Missing HttpOnly for session cookies — Session or auth cookies should typically set HttpOnly to reduce XSS risk.

Supported Cookie Formats

This cookie parser supports multiple input formats. Paste any of the following and the tool will detect the format and parse the cookies automatically.

• Browser cookie strings — Name-value pairs separated by semicolons, as copied from browser dev tools or document.cookie.
• Set-Cookie headers — Full Set-Cookie response header lines including Path, Domain, Expires, Secure, HttpOnly, SameSite, and other attributes.
• HTTP request headers — Raw request headers containing a Cookie: line; the tool extracts the cookie string from the header block.
• curl command cookies — curl commands that include -H "Cookie: ..." or -H 'Cookie: ...'; the tool extracts the cookie value from the command.

Examples:

• sessionId=abc123; theme=dark
• Set-Cookie: sessionId=abc123; Path=/; Secure
• GET /api HTTP/1.1
  Cookie: sessionId=abc123
• curl https://example.com -H "Cookie: sessionId=abc123"

Key Features

• Parse browser cookie strings and Set-Cookie headers
• URL-decode values and optional JSON preview
• Statistics panel, search, sort, and table view
• Copy and download: JSON, CSV, cookie file, Set-Cookie per row
• Create cookies with Domain, Path, Expires, Max-Age, Secure, HttpOnly, SameSite, Priority, Partitioned
• 100% browser-based — no server, no storage