What this tool does
Parse a Cookie or Set-Cookie header into structured name/value pairs with attributes (Path, Domain, Expires, Max-Age, Secure, HttpOnly, SameSite). Useful when debugging auth flows or inspecting headers captured from a network trace.
How to use it
Paste a header (either kind). Each cookie shows up as a row; the first row carries any attributes — matching how Set-Cookie works.
Input: sid=abc123; Path=/; Max-Age=3600; Secure; HttpOnly; SameSite=Lax
Output: name=sid value=abc123
path=/, maxAge=3600, secure, httpOnly, sameSite=LaxLimits and edge cases
- Cookie values are returned as-is. If your cookie value is URL-encoded (often the case for session tokens), pipe the value through the URL Decoder.
- Attribute parsing is case-insensitive. Unknown attribute names are silently dropped.
- Only the first pair gets attached attributes (Set-Cookie semantics). Multi-pair Cookie headers have no attributes by protocol design.
Frequently asked questions
- Is anything sent to a server?
- No. Cookie parsing is a pure-JavaScript operation in your browser.
- What's the difference between Cookie and Set-Cookie?
- Cookie is the request header (client → server, name=value pairs only). Set-Cookie is the response header (server → client, single pair with attributes). This tool parses both.
- Why isn't 'SameSite=Bogus' showing?
- SameSite only accepts Strict / Lax / None per the spec. Anything else is silently dropped to surface the intent: the cookie won't get a SameSite policy applied.
- Does it validate Expires dates?
- Not yet — Expires is returned as the raw string. Pipe it through the Timestamp tool to see when it fires.