Network

Cookie Parser

A cookie is just one tangled string — until a browser quietly rejects it. Paste a Cookie or Set-Cookie header, or a raw document.cookie, and every cookie is broken out into name, value, and attributes, with URL-encoded, JSON, Base64, and JWT values decoded in place. A built-in audit grades Secure, HttpOnly, SameSite, the __Host- and __Secure- prefixes, expiry, and size, then rebuilds the set as a Cookie header, Set-Cookie lines, document.cookie, a Netscape cookies.txt jar, JSON, or PHP. It all runs in your browser — nothing is uploaded.

  • One box reads Cookie headers, Set-Cookie headers, and document.cookie — no mode switching
  • Opaque values decoded in place: URL-encoding, JSON, Base64, and JWT
  • Security audit scores Secure, HttpOnly, SameSite, __Host-/__Secure- prefixes, and expiry
  • Rebuild as a Cookie header, Set-Cookie, document.cookie, curl cookies.txt, JSON, or PHP
tools/Cookie Parser

Start here

Paste a Cookie header, one or more Set-Cookie headers, or a document.cookie string into the input on the left, and the parsed cookies show up here.

Try a sample
Samples

Overview

Paste a cookie string from any direction — request, response, or document.cookie — and it comes back as named fields you can read, decoded values you can verify, and an audit that points at the risky parts.

  1. 01

    Three cookie shapes, auto-detected

    Cookie request headers, Set-Cookie response headers, and raw document.cookie strings are all recognised from their structure. Reserved attributes such as Path, Domain, and SameSite give a Set-Cookie away; you can also force the format from the toolbar.

  2. 02

    Values decoded inline

    URL-encoded values are unescaped, JSON is pretty-printed, Base64 is unwrapped, and a JWT is split into header and payload — so you can read what a cookie actually carries without a second tool.

  3. 03

    Every attribute surfaced

    Domain, Path, Expires, Max-Age, SameSite, Secure, HttpOnly, Partitioned, and Priority are each pulled out. A Max-Age becomes a real date, and expiry reads as a countdown like "in 12 months" or "expired 5 years ago".

  4. 04

    A real security audit

    Every cookie is graded for Secure, HttpOnly, SameSite, the __Host- and __Secure- prefixes, oversized payloads, broad Domain scope, expiry, and duplicates — rolled into one 0-100 score, where critical issues like SameSite=None without Secure cost the most.

  5. 05

    Round-trip export

    Rebuild the set as a Cookie header, Set-Cookie lines, document.cookie statements, a Netscape cookies.txt jar for curl, a JSON array, a Markdown table, or PHP setcookie() calls.

  6. 06

    In-browser, no upload

    Detection, decoding, auditing, and export all happen on this page. No network request carries your cookies out of the browser.

How to use

Paste, read, and rebuild — a single input box handles detection, decoding, the audit, and every export, with nothing to configure.

  1. 01

    Paste a Cookie header, one or more Set-Cookie headers, or a document.cookie string into the input on the left.

  2. 02

    The direction is auto-detected. If it picks wrong, switch to Cookie or Set-Cookie from the toolbar.

  3. 03

    In the Structured view, read each cookie's name, decoded value, and attributes, and expand JWT or JSON values inline.

  4. 04

    Open the Security view for the score, coverage stats, size budget, and the full list of findings.

  5. 05

    Switch to the Export view, pick a target format, and copy the rebuilt cookies back into your header, script, or curl jar.

Details

Reading a cookie, decoding its value, and catching its mistakes happen in one pass instead of across three tools.

  • Cookie headers split into name=value pairs; Set-Cookie headers split into name, value, and every attribute.
  • Multiple Set-Cookie lines are parsed at once, one cookie per line, with leading header names stripped.
  • Values are classified as JWT, JSON, Base64, URL-encoded, hex, UUID, numeric, boolean, or plain text.
  • Expiry is shown as an absolute date and a localized relative countdown, with session and expired flags.
  • The audit flags SameSite=None without Secure, __Host-/__Secure- prefix violations, missing HttpOnly, and oversize cookies.
  • Size budget bars compare the total and the largest cookie against the 4096-byte browser limit.

Use cases

Where a cookie parser earns its keep — debugging, auditing, and reproducing real cookies, day to day.

  1. Read what a cookie actually stores

    A value like sid=s%3Aa1b2c3 or a Base64 blob tells you nothing at a glance. Paste it and read the JSON, JWT claims, or decoded text inline — no manual percent-unescaping or jwt.io round-trip.

  2. Audit a Set-Cookie before shipping

    Paste the Set-Cookie your backend emits and confirm Secure, HttpOnly, SameSite, and the __Host- prefix line up. The audit catches SameSite=None without Secure — which the browser silently drops — before it reaches production.

  3. Debug a cookie that will not stick

    When a cookie vanishes after a redirect, the cause is usually visible here: an Expires date already in the past, a Domain that does not match the host, or a value over 4096 bytes the browser refuses to store.

  4. Move a browser session into curl

    Copy document.cookie from DevTools, export a Netscape cookies.txt jar, and replay the exact session with curl --cookie cookies.txt or wget --load-cookies — no hand-editing tab-separated fields.

  5. Reproduce a cookie in code

    Export PHP setcookie() calls or document.cookie assignments so a cookie you captured becomes a test fixture you can set in one line, attributes and all.

  6. Document a cookie set for the team

    Drop a Markdown table of names, values, and flags straight into a PR or ticket, so frontend, backend, and QA work from one shared cookie inventory instead of screenshots.

See also

When the cookie is only part of a larger capture, open HTTP Message Parser to unpack the full request line, headers, and body. When a cookie carries a JSON Web Token, JWT Inspector decodes the payload and verifies the signature. And for the URL-encoded values inside a cookie or a tangled query string, URL Tools pulls each component apart and clears tracking parameters.

Best practices

Cookies are just text until something rejects them. Let the structured view and audit do the first read.

  • Set session and auth cookies with Secure, HttpOnly, and an explicit SameSite — do not rely on the Lax default.
  • Use the __Host- prefix for session cookies: it forces Secure, Path=/, and no Domain, which blocks subdomain injection.
  • Before screenshotting or sharing, scrub real session, token, and auth values from the structured view.
  • Keep each cookie well under 4096 bytes; move large state server-side and store only an identifier.
  • Treat SameSite=None as opt-in cross-site exposure — pair it with Secure and a clear reason.
  • Do not leave production cookies sitting in any online tool, including this one. Clear the input when finished.

Limitations

Knowing what the tool does not do keeps you from reaching for it as a browser or a scanner.

  • No network requests are made; the tool only parses the text you paste, so it cannot read or set real browser cookies.
  • Cookie encryption and signed-cookie verification are out of scope — it decodes structure, not server secrets.
  • The audit reports baseline hygiene signals, not a verdict; sensitive cookies still need a proper security review.
  • Decoding is best-effort: a value that merely looks like Base64 or JSON may be coincidental, not the real format.
  • Browser-specific quirks such as cookie partitioning behaviour and per-domain count limits vary by engine and version.

FAQ

Straight answers on format detection, value decoding, the security score, exporting for curl, and where your cookie data goes.

How does it tell a Cookie header from a Set-Cookie header?

Set-Cookie carries reserved attributes such as Path, Domain, Expires, or SameSite, and is one cookie per line; a Cookie header is a single line of name=value pairs. Auto-detect uses that, and you can override it from the toolbar.

Can it decode encoded cookie values?

Yes. It URL-decodes values, pretty-prints JSON, unwraps Base64, and splits a JWT into its header and payload, all shown inline under each cookie.

What does the security score mean?

It starts at 100 and subtracts for each finding — most for critical issues like SameSite=None without Secure or a broken __Host- prefix, less for warnings and notices. It is a quick signal, not a compliance grade.

Can I export cookies for curl?

Yes. The Netscape cookies.txt export produces a jar you can load with curl --cookie cookies.txt or wget --load-cookies, plus document.cookie, JSON, Markdown, and PHP exports.

Does my cookie data get uploaded?

No. Detection, decoding, auditing, and export all happen in the browser. No network request carries your cookies out of this page.

Why is an attribute like Secure missing from a request cookie?

A Cookie request header only carries name=value pairs — attributes like Secure, HttpOnly, and SameSite live on Set-Cookie. Paste the Set-Cookie header to audit those.

Related tools

Keep going on network and security work — parse the whole HTTP message, decode a JWT from a cookie, or clean a URL.