Souus Tools
Sponsor

Cookie Parser

Free online cookie parser tool. Parse and inspect Set-Cookie headers and document.cookie strings to view names, values, and attributes.

Name: session_id
Value: abc123
Path/
Domain.example.com
ExpiresFri, 31 Dec 2027 23:59:59 GMT
HttpOnly
Secure
SameSiteLax

What Is a Cookie Parser?

HTTP cookies are small pieces of data that web servers send to browsers via the Set-Cookie response header. Browsers store these cookies and include them in subsequent requests using the Cookie header. Cookies are fundamental to web development — they manage user sessions, store preferences, track authentication state, and enable personalization. A Cookie Parser breaks down raw cookie strings into their individual components: the cookie name and value, along with attributes like Expires, Max-Age, Domain, Path, Secure, HttpOnly, and SameSite. This tool supports parsing both Set-Cookie headers (server response format with attributes) and document.cookie strings (browser-side format with multiple key-value pairs).

How to Use the Cookie Parser

  1. Select the parsing mode: 'Parse Set-Cookie' for server response headers or 'Parse Cookie String' for browser-side cookie strings.
  2. For Set-Cookie headers: paste the full header value (e.g., 'session_id=abc123; Path=/; HttpOnly; Secure'). The tool will extract the cookie name, value, and all attributes.
  3. For Cookie strings: paste the document.cookie value (e.g., 'key1=value1; key2=value2'). The tool will split it into individual cookie key-value pairs.
  4. Review the parsed output showing each component in a structured, easy-to-read format.

Common Use Cases

  • Debugging Authentication Issues — Inspect Set-Cookie headers from authentication endpoints to verify cookie attributes like HttpOnly, Secure, SameSite, and expiration are set correctly.
  • Security Auditing — Check whether cookies have proper security flags (Secure, HttpOnly, SameSite) to prevent XSS attacks, CSRF vulnerabilities, and cookie theft.
  • Cross-Domain Cookie Troubleshooting — Analyze Domain and Path attributes to diagnose issues with cookies not being sent to the expected subdomains or URL paths.
  • Session Management Review — Parse session cookies to verify expiration times, understand Max-Age settings, and ensure session cookies are configured according to security best practices.

FAQ

What is the difference between Set-Cookie and document.cookie?
Set-Cookie is an HTTP response header sent by the server to create or update a cookie, and includes attributes like Expires, Path, Domain, Secure, HttpOnly, and SameSite. document.cookie is a JavaScript property in the browser that returns all non-HttpOnly cookies as a single string of 'key=value' pairs separated by semicolons, without the attributes.
What does the HttpOnly flag mean?
The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie. This is a critical security measure that helps prevent cross-site scripting (XSS) attacks from stealing session cookies. Cookies with HttpOnly can only be sent with HTTP requests, not read by client-side scripts.
What is the SameSite attribute?
SameSite controls whether cookies are sent with cross-site requests. 'Strict' means the cookie is only sent with same-site requests. 'Lax' (the default in most browsers) allows cookies on top-level navigations. 'None' allows cookies on all cross-site requests but requires the Secure flag. SameSite helps prevent CSRF attacks.
How do Expires and Max-Age differ?
Expires sets an absolute date/time when the cookie expires (e.g., 'Fri, 31 Dec 2027 23:59:59 GMT'). Max-Age sets the cookie lifetime in seconds from the current time (e.g., '86400' for 24 hours). If both are set, Max-Age takes precedence. If neither is set, the cookie is a session cookie that is deleted when the browser closes.

Related Tools

HTTP Status Codes Reference - Complete Status Code GuideHTTP Request Builder