Cookie Parser

How to use

1. 1Copy a Set-Cookie response header or a Cookie request header from your browser DevTools, a curl -v trace, or a server log.
2. 2Paste it into the input. Multiple Set-Cookie headers should be one per line, each on its own row.
3. 3Leave Mode on Auto to let the tool detect the shape, or pick Set-Cookie or Cookie explicitly if your input is ambiguous.
4. 4Read each cookie card for its parsed name, value (raw and URL-decoded), every attribute, and any notes about SameSite, Secure, HttpOnly, prefixes, lifetimes, or oversize values.
5. 5Use the per-cookie Copy buttons to grab just the value or the full line, or use Copy summary to take a plain-text report of the whole parse.

About this tool

Cookie Parser breaks an HTTP cookie header into a readable table of every cookie and every attribute set on it. Paste one or many Set-Cookie response headers, one per line, with or without the Set-Cookie: prefix, and the tool splits each line into its name, value, Domain, Path, Expires, Max-Age, SameSite, Secure, HttpOnly, Partitioned, and Priority. Switch to Cookie mode to paste a single browser Cookie request header (the same string you get from document.cookie in DevTools) and the tool parses every name=value pair on that line. Auto mode detects which shape you pasted. The value column shows both the raw bytes and a URL-decoded preview when percent-encoding was used. Expires dates are parsed and shown in ISO 8601 plus a human relative label, Max-Age values are formatted as days, hours, minutes, and seconds, and the tool flags long lifetimes that browsers will cap (Chromium clamps cookie lifetime to roughly 400 days). Each cookie also gets a list of notes covering the common debugging pitfalls: SameSite=None without Secure, __Host- and __Secure- prefix rules, missing HttpOnly on session-shaped cookies, missing Secure on tokens, Expires in the past, both Expires and Max-Age set, Domain with a leading dot, Path missing a leading slash, oversized values past the 4096 byte single-cookie limit, and unknown attributes the server included. Cookies that look like JWTs (three base64url segments separated by dots) get a tag so you know the value will decode further in the JWT Decoder. All parsing is local: the cookie text you paste, including sensitive session or auth tokens, never leaves your browser. Useful for debugging an unexpected login bounce, checking why a CSRF cookie is not being sent on a cross-site request, auditing the SameSite stance of a vendor cookie, inspecting analytics cookies that came back in a network trace, or just learning the cookie attribute surface without reading RFC 6265 cover to cover.

Free to use. Works in your browser. No signup, no login.