HTTP Cookie Parser — Parse, Decode & Build Cookie Strings

Paste a Cookie header, Set-Cookie header, or curl command and instantly see all cookie attributes in a readable table.

HTTP Cookie Parser — Parse, Decode & Build Cookie Strings

Paste a Cookie header, Set-Cookie header, or curl command and instantly see all cookie attributes in a readable table.

Paste a cookie string, Set-Cookie header, full HTTP request headers (Cookie: …), or a cURL command with -H "Cookie: …". Values are URL-decoded automatically.

Quick paste:

Create Cookie (Set-Cookie)

What This Tool Does

This cookie parser online parses HTTP cookie strings and displays cookie names, values, and attributes (Secure, HttpOnly, SameSite, Domain, Path, Expires, Max-Age). Paste a Cookie or Set-Cookie header and view the result instantly. You can also build Set-Cookie strings.

Examples

Input:

sessionId=abc123; Secure; HttpOnly; SameSite=Lax

Output (parsed):

{
  sessionId: "abc123",
  Secure: true,
  HttpOnly: true,
  SameSite: "Lax"
}

About Cookie Parser

The Cookie Parser helps web developers work with HTTP cookies and Set-Cookie headers. It parses both browser cookie strings (multiple name=value pairs) and Set-Cookie header format (one cookie with Path, Domain, Expires, Secure, HttpOnly, SameSite, etc.), decodes values, and lets you build valid Set-Cookie strings. All processing runs in your browser—no server, no storage.

How to Parse Cookies

Paste your cookie string into the input box. The tool auto-detects the format:

  • Browser cookie string — e.g. sessionId=abc123; theme=dark; csrftoken=xyz. Each name=value pair is one cookie.
  • Set-Cookie header — e.g. sessionId=abc123; Path=/; Secure; HttpOnly; SameSite=Lax. The first pair is the cookie name and value; the rest are attributes (Path, Domain, Expires, Max-Age, Secure, HttpOnly, SameSite).

Values are URL-decoded automatically (e.g. user=John%20Doe → John Doe). If a value is valid JSON, a “Show JSON” preview is available.

Cookie Attributes Explained

  • Domain — Which host(s) can receive the cookie (e.g. .example.com).
  • Path — URL path that must be in the request to send the cookie (e.g. / or /api).
  • Expires — Absolute expiration date in GMT (e.g. Wed, 21 Oct 2025 07:28:00 GMT).
  • Max-Age — Lifetime in seconds from when the cookie is set. Takes precedence over Expires if both are present.
  • Secure — Cookie is sent only over HTTPS.
  • HttpOnly — Cookie is not accessible from JavaScript (helps prevent XSS).
  • SameSite — Strict (never cross-site), Lax (top-level navigation only), or None (always; requires Secure).
  • Priority — Chrome-only: High, Medium, or Low for storage eviction.
  • Partitioned — CHIPS: cookie is partitioned by top-level site.

Example Cookie Strings

Multiple cookies (browser format):

sessionId=abc123; theme=dark; csrftoken=xyz

Single Set-Cookie header:

sessionId=abc123; Path=/; Max-Age=3600; Secure; HttpOnly; SameSite=Lax

What is a Set-Cookie Header

Set-Cookie is an HTTP response header sent by the server to create or update a cookie in the browser. It contains the cookie name and value plus optional attributes (Path, Domain, Expires, Max-Age, Secure, HttpOnly, SameSite). The browser stores the cookie and sends it back with future requests that match the Domain and Path. This tool parses Set-Cookie strings and can generate them for use in your backend or API responses.

Cookie Parser Use Cases

  • Parsing cookies from browser dev tools or network tabs
  • Creating Set-Cookie headers for API responses
  • Understanding cookie attributes and security
  • Debugging cookie-related issues
  • Testing cookie behavior
  • Exporting cookie data as JSON, CSV, or cookie file

How Developers Debug Cookies

Developers use this cookie parser to inspect cookies from the Application tab (Chrome) or Storage tab (Firefox), or from the Cookie request/response headers in the Network panel. Paste the cookie string or a Set-Cookie header, then use the statistics panel to see counts (Secure, HttpOnly, SameSite), search and sort the table, and copy individual Set-Cookie headers for replay or debugging. Validation warnings highlight common issues like SameSite=None without Secure or invalid Expires format.

Browser Cookie vs Set-Cookie Header

Browser cookie string (e.g. from document.cookie or dev tools) contains multiple cookies as name=value; name2=value2. There are no attributes like Path or Domain—those are stored by the browser separately. Set-Cookie header is what the server sends in an HTTP response: one cookie per header, with optional attributes (Path=, Domain=, Expires=, Max-Age=, Secure, HttpOnly, SameSite=). This tool detects the format automatically and parses accordingly.

Common Cookie Mistakes

  • SameSite=None without Secure — Browsers reject cookies with SameSite=None unless the Secure flag is set.
  • Spaces in cookie names — Cookie names should not contain spaces or special characters.
  • Invalid Expires format — Use GMT format, e.g. Wed, 21 Oct 2025 07:28:00 GMT.
  • Missing HttpOnly for session cookies — Session or auth cookies should typically set HttpOnly to reduce XSS risk.

Supported Cookie Formats

This cookie parser supports multiple input formats. Paste any of the following and the tool will detect the format and parse the cookies automatically.

  • Browser cookie strings — Name-value pairs separated by semicolons, as copied from browser dev tools or document.cookie.
  • Set-Cookie headers — Full Set-Cookie response header lines including Path, Domain, Expires, Secure, HttpOnly, SameSite, and other attributes.
  • HTTP request headers — Raw request headers containing a Cookie: line; the tool extracts the cookie string from the header block.
  • curl command cookies — curl commands that include -H "Cookie: ..." or -H 'Cookie: ...'; the tool extracts the cookie value from the command.

Examples:

  • sessionId=abc123; theme=dark
  • Set-Cookie: sessionId=abc123; Path=/; Secure
  • GET /api HTTP/1.1
    Cookie: sessionId=abc123
  • curl https://example.com -H "Cookie: sessionId=abc123"

Key Features

  • Parse browser cookie strings and Set-Cookie headers
  • URL-decode values and optional JSON preview
  • Statistics panel, search, sort, and table view
  • Copy and download: JSON, CSV, cookie file, Set-Cookie per row
  • Create cookies with Domain, Path, Expires, Max-Age, Secure, HttpOnly, SameSite, Priority, Partitioned
  • 100% browser-based — no server, no storage
By Muhammad Abdullah Rauf · Founder, EverydayTools.proUpdated 2026

Workflow guides

Step-by-step chains that connect related tools for common tasks.

Debug a broken authentication session

  1. Copy the Set-Cookie header from the browser Network tab (the login response) and paste it into the parser.
  2. Check that HttpOnly, Secure, and SameSite attributes are set correctly for production auth cookies.
  3. Decode any Base64-encoded cookie values with Base64 Decoder to read the session payload if it is base64-encoded.

Advertisement

Frequently Asked Questions

How do I parse a Set-Cookie header?

A Set-Cookie header has the format: name=value; Path=/; Expires=date; HttpOnly; Secure; SameSite=Lax. Paste the full header value (without the 'Set-Cookie:' prefix) and this tool extracts name, value, domain, path, expires, and all flags as a structured table. Useful for debugging authentication flows and session management.

What is the difference between HttpOnly and Secure cookies?

HttpOnly prevents JavaScript from reading the cookie via document.cookie — protecting against XSS token theft. Secure means the cookie is only sent over HTTPS connections. Both attributes should be set on session and auth cookies in production. SameSite=Strict or Lax also prevents CSRF attacks by restricting cross-site cookie sending.

Why does document.cookie look different from the Set-Cookie header?

document.cookie only shows name=value pairs for cookies accessible to JavaScript (HttpOnly cookies are excluded). The Set-Cookie header includes all attributes (path, expiry, flags). This parser handles both formats — paste either the HTTP header value or the document.cookie string.

How do I build a cookie string for testing?

Use the form editor to set name, value, domain, path, expiry, and flags, then copy the generated Set-Cookie header. This is useful when you need to manually set a cookie for a test case, Postman request, or API integration that expects specific cookie attributes.

Part of Developer Tools

Related Tools

More free tools for the same workflow.

Base64 Encoder & Decoder

Free Base64 encoder and decoder — encode any text or data to Base64 and decode Base64 strings back to readable text. Supports URL-safe Base64 variant. No signup needed.

HTTP Header Generator

Free HTTP header generator — build Content-Type, Cache-Control, CORS, Authorization, and security headers with correct syntax. Copy for NGINX, Apache, or API responses. No signup.

Advertisement