logo
GeekFormat

Set-Cookie Parser

Set-Cookie Parser

Paste multi-line Set-Cookie response headers to inspect attributes and flag risky SameSite / Secure combinations.

Cookie Attribute Cards

2 Set-Cookie(s)
#1sessionabc123
path/
httponly(flag)
secure(flag)
samesiteLax
No obvious attribute issues found
#2preview1
max-age600 (10m 0s)

setCookieParser.attr.maxAgeHint

samesiteNone
secure(flag)
setCookieParser.warn.missingHttpOnlysetCookieParser.warn.missingPath

JSON Preview

[
  {
    "index": 0,
    "raw": "session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax",
    "name": "session",
    "value": "abc123",
    "decodedValue": "abc123",
    "attributes": [
      {
        "key": "path",
        "value": "/"
      },
      {
        "key": "httponly",
        "value": null
      },
      {
        "key": "secure",
        "value": null
      },
      {
        "key": "samesite",
        "value": "Lax"
      }
    ],
    "attributeMap": {
      "path": "/",
      "httponly": true,
      "secure": true,
      "samesite": "Lax"
    },
    "warnings": []
  },
  {
    "index": 1,
    "raw": "preview=1; Max-Age=600; SameSite=None; Secure",
    "name": "preview",
    "value": "1",
    "decodedValue": "1",
    "attributes": [
      {
        "key": "max-age",
        "value": "600"
      },
      {
        "key": "samesite",
        "value": "None"
      },
      {
        "key": "secure",
        "value": null
      }
    ],
    "attributeMap": {
      "max-age": "600",
      "samesite": "None",
      "secure": true
    },
    "warnings": [
      "warn.missingHttpOnly",
      "warn.missingPath"
    ]
  }
]

Paste your Set-Cookie headers and instantly see why the browser isn't accepting your cookies.

Related

Use Cases

  • When browsers refuse to write cookies, quickly identify whether it's a SameSite policy issue, missing Secure flag, or Path/Domain mismatch
  • Debug cookies blocked by browsers in third-party login/SSO/embedded iframe scenarios — verify SameSite=None is correctly paired with Secure
  • During security audits, batch-check that cookies returned by APIs all set HttpOnly to prevent XSS theft, and Secure to prevent HTTP plaintext transmission
  • When using __Host-/__Secure- prefixed cookies, verify RFC 6265bis mandatory requirements are met to avoid silent rejection by browsers
  • When debugging CHIPS (Partitioned Cookie) third-party cookie partitioning, confirm Partitioned and Secure are declared together
  • When setting Max-Age/Expires server-side, confirm valid values to avoid immediate cookie expiration due to clock skew or Max-Age=0
  • Compare Set-Cookie header differences across environments (dev/staging/production) to debug the mysterious case of cookies working locally but disappearing in production
  • Copy entire response headers directly from DevTools or curl responses — no need to manually remove the Set-Cookie: prefix, the tool strips it automatically
  • When writing API documentation or debugging WASM/WebWorker request bugs, paste parsed JSON results directly into docs to illustrate cookie structure

Features

  • Independent multi-cookie parsing: Each Set-Cookie line becomes its own numbered card showing name, value, and URL-decoded value—spot problem cookies at a glance
  • 14-point security attribute detection: Automatically identifies SameSite=None without Secure, invalid SameSite values, Partitioned without Secure, missing HttpOnly, missing Path, missing SameSite, __Host- prefix violations, __Secure- without Secure, invalid/zero Max-Age, leading dot in Domain, Expires without Max-Age, and more common mistakes
  • Complete attribute breakdown: SameSite, Secure, HttpOnly, Path, Domain, Expires, Max-Age, Partitioned listed item by item—flag attributes and value-bearing attributes are clearly distinguished
  • Automatic Max-Age conversion: Seconds are automatically converted to human-readable time in days/hours/minutes/seconds, e.g., Max-Age=2592000 displays as 30d
  • Auto-display URL-decoded values: When cookie values contain %XX encoding, the decoded original text is shown automatically (e.g., sessionID%3Dabc → sessionID=abc) with a green arrow indicator
  • RFC 6265bis prefix validation: Strictly verifies compliance requirements for __Host- and __Secure- prefixed cookies, including Path=/, no Domain, and mandatory Secure
  • One-click raw header copy: Aggregate all parsed cookie raw lines for easy copying into emails, issues, or documents to share with your team
  • Structured JSON preview: Parsed results support JSON output including complete fields: name/value/decodedValue/attributes/attributeMap/warnings—directly usable in scripts and test cases
  • Fully local processing: Set-Cookie content is parsed entirely in your browser, never uploaded to any server, keeping sensitive sessions, tokens, and other data private
  • Smart warning badges: Each issue is flagged with an orange warning badge stating the exact reason—no need to cross-reference RFC documents line by line
  • Bulk multi-line input: Paste entire response headers at once (e.g., copied from Chrome DevTools Network panel) — the Set-Cookie: prefix is automatically stripped for line-by-line parsing
  • Supports quoted and semicolon-containing values: Correctly handles double-quoted cookie values and semicolons in Expires dates per RFC spec, no incorrect splitting

How to Use

  1. Open your browser's DevTools Network panel, find the target request, and copy the Set-Cookie content from the Response Headers section (supports multiple lines — copy all cookies at once)
  2. Paste the copied Set-Cookie response headers into the input area, one cookie per line (no need to manually delete the Set-Cookie: prefix; the tool strips it automatically)
  3. The tool parses in real-time: the top shows how many Set-Cookie headers were detected, and each cookie appears below as its own attribute card
  4. The card header shows the number, cookie name, and raw value; if the value contains URL encoding, the decoded value appears after a green arrow
  5. The card body displays attributes item by item: SameSite, Secure, HttpOnly, Path, Domain, Max-Age, Expires, Partitioned, etc. Max-Age automatically appends a parenthetical with human-readable time conversion
  6. The card footer shows inspection results: orange warning badges flag specific issues (each with clear explanation), green badges mean no obvious problems detected
  7. When you need to compare against server configuration, click 'Copy Raw Headers' to copy all original Set-Cookie lines; for programmatic processing, check 'JSON Preview'

FAQ

Why did the Set-Cookie header set successfully but the browser didn't save my cookie?

This is the most common issue. Browsers don't actively report errors; they silently drop non-compliant cookies. Common causes include: SameSite=None missing Secure, Secure cookies set on HTTP pages (localhost exception), __Host-/__Secure- prefix constraints not met, Domain/Path mismatch, exceeding the 4KB size limit, Max-Age being 0 or negative. We recommend first pasting your Set-Cookie headers into this tool to check warning badges and pinpoint the specific cause, then opening Chrome DevTools → Application → Cookies, looking under the relevant domain for a yellow warning triangle — hover to see the exact rejection reason.

What exactly is the difference between SameSite's Strict, Lax, and None? When should I use which?

Strict completely disallows cross-site sending — the most secure, but users clicking in from external links appear logged out, suitable for sensitive operations like payments/password changes. Lax is the default in Chrome 80+, allowing cookies to be sent during top-level GET navigation jumps (clicking an external link back to your site), but not for subresources like iframe/img/script/XHR/POST forms — recommended for most scenarios. None allows sending in all cross-site scenarios (for SSO single sign-on, third-party embedded iframes, cross-site API calls), but must be paired with Secure, otherwise the browser rejects it outright.

Why must SameSite=None be paired with Secure?

This is a rule Chrome has enforced since version 80 (February 2020), with Firefox, Edge, and Safari all following suit. Because SameSite=None explicitly allows cross-site cookie sending, attackers can more easily launch CSRF or eavesdrop in cross-site scenarios, so it must be paired with Secure (HTTPS encrypted transmission) to mitigate risk. If your SameSite=None cookie is set over HTTP, the browser simply drops it without storing it. This tool detects SameSite=None-without-Secure combinations and flags them with red warnings.

Should I use Max-Age or Expires? What's the difference?

Prefer Max-Age. Max-Age is relative time (expires after N seconds), doesn't depend on the client clock, and the browser starts counting down upon receipt; Expires is an absolute point in time, dependent on the user's local computer time (if a user sets their clock to 1970, the cookie expires immediately). When both are present, Max-Age takes priority (explicitly specified by RFC 6265). If neither is set, the cookie becomes a 'session cookie' that expires when the browser closes. This tool prompts when Expires is set without Max-Age, recommending Max-Age be added. Note: Max-Age is in seconds, not milliseconds.

What's the difference between Path=/ and not setting Path?

Path determines which URL path requests the browser will include this cookie on. When Path is not set, the browser defaults to 'the response URL with the last segment removed' — for example, when setting a cookie from /api/user/login, the default Path is /api/user/, so requests under / and /order/ won't carry this cookie. Explicitly setting Path=/ makes the cookie active across the entire site. Note that Path matching is prefix-based — Path=/api also matches /api/, /api/user, /api/v2/abc, etc. __Host- prefixed cookies require Path=/.

What's the difference between a Domain with a leading dot (like .example.com) and without?

In modern browsers (recent versions of Chrome, Firefox, Edge, Safari), the two are equivalent — both make the cookie apply to example.com and all its subdomains (a.example.com, b.c.example.com). The leading dot was old syntax from the RFC 2109 era; RFC 6265 explicitly ignores leading dots. However, the form without a dot is recommended for readability. This tool notes Domains with leading dots (not an error, but a legacy notation). Note: When Domain is not set, the cookie applies only to the current host (subdomains won't get it); setting Domain makes it apply to subdomains.

What are the __Host- and __Secure- prefixes? Can I skip them?

These are cookie name security prefixes introduced in RFC 6265bis to add hard constraints for high-security cookies: when browsers see a cookie name starting with __Host-, they enforce that Secure must be set, Path=/, and Domain must not be set — failing any condition, storage is outright rejected; the __Secure- prefix requires Secure to be set, with other attributes configurable. Cookies work fine without prefixes (most cookies don't use them), but __Host- is strongly recommended for high-security cookies like session identifiers and auth tokens, as it prevents subdomain/path-level cookie injection attacks. This tool automatically detects compliance for both prefix types.

Are HttpOnly cookies really secure? Do they prevent XSS and CSRF?

HttpOnly prevents JavaScript from reading cookie values via document.cookie, making it an important line of defense for <strong>mitigating XSS session theft</strong>, but it's not a silver bullet: XSS attackers can still initiate requests in the user's browser (which automatically carry cookies) to perform actions (this is CSRF territory); HttpOnly also doesn't defend against CSRF attacks (which require SameSite or CSRF tokens). The full trio of HttpOnly+Secure+SameSite=Lax/Strict used together achieves a baseline security level. Sensitive cookies (session, JWT, access_token) must be HttpOnly; don't expose them to frontend JS unless necessary. This tool warns on cookies missing HttpOnly.

What are Partitioned (CHIPS) cookies? When do I need them?

Partitioned is a new attribute Chrome introduced in preparation for third-party cookie phase-out, short for Cookies Having Independent Partitioned State (CHIPS). Traditional third-party cookies (like those set by ads/embedded services across multiple sites) are globally shared and can be used to cross-site track users. With Partitioned added, browsers store that third-party cookie separately per top-level site: the third-party cookie a user sees on Site A is completely independent from what they see on Site B, with no cross-site identity sharing. Use cases: embedded video/map/payment components, third-party chat plugins, cross-site SSO embedded iframes. Partitioned must be used with Secure, recommended with the __Host- prefix.

How much data can a single cookie hold? How many can be placed per domain?

Per RFC 6265, browsers must support at least 4096 bytes per cookie (including name, value, and attributes). Major browsers (Chrome/Firefox/Safari/Edge) enforce this limit; excess is silently truncated or dropped. Count limits vary by browser: Chrome allows ~180 per domain, Firefox ~150, Safari ~600 (and affected by ITP's 7-day purge policy), after which browsers evict the oldest cookies via an LRU strategy. We recommend cookies store only session identifiers — don't put large chunks of business data in cookies (store business data in localStorage or server-side sessions).

Does it support parsing Set-Cookie copied directly from Chrome DevTools? Do I need to remove prefixes manually?

Fully supported — no manual processing needed. You can go to Chrome DevTools → Network panel, click the target request, right-click the Set-Cookie value in the Response Headers section and copy directly (for multiple lines, Ctrl/⌘+click to multi-select or copy the whole block), then paste into this tool's input area. The tool automatically strips the Set-Cookie: prefix from the beginning of each line (case-insensitive), handles leading/trailing whitespace, correctly processes special characters like commas and semicolons in Expires dates, and correctly handles double-quoted cookie values.

Why do Chinese characters or special characters in cookie values become %XX form?

RFC 6265 requires cookie values to use only a safe subset of the ASCII character set, and cannot directly contain Chinese characters, spaces, commas, semicolons, etc. Many server-side frameworks automatically URL-encode (encodeURIComponent/Percent-encoding) non-ASCII characters when setting cookies, e.g., '你好' encodes to %E4%BD%A0%E5%A5%BD. Browsers also maintain the encoded form when sending them back. When this tool detects values containing %XX encoding, it automatically shows the decodeURIComponent-decoded original text next to the raw value with a green arrow for your convenience.

What's the difference between Set-Cookie and the Cookie request header?

They are headers in completely opposite directions: Set-Cookie is a response header (server → browser), appears only in responses, can appear multiple times, setting one cookie each time with full attributes (Secure/HttpOnly/Path/Domain/etc.); Cookie is a request header (browser → server), appears only once per request, containing flat name=value pairs (name1=v1; name2=v2) of all in-scope cookies, with no attribute information at all. That means servers cannot know from requests whether a cookie has HttpOnly or Secure set — attribute information is retained only by the browser when stored locally. To parse Cookie request headers, use the companion <a href='/network/http-cookie-parser/'>Cookie Request Header Parser</a>.

Why do my cookies disappear after a few days in Safari?

This is Safari's Intelligent Tracking Prevention (ITP) mechanism at work. Starting with ITP 2.1, if a user doesn't directly interact with a domain for 7 days (i.e., hasn't directly visited the domain's site), Safari purges all cookies and website data under that domain, regardless of how long Max-Age/Expires is set. This has the biggest impact on third-party embedded services, while main site cookies are unaffected as long as users keep visiting. Additionally, Safari's restrictions on third-party cookies are stricter than Chrome's. Solutions include: using the Partitioned attribute, requesting permissions via the Storage Access API, or refreshing cookies when users visit the main site. The troubleshooting section of this tool has more detailed Safari debugging guidance.

Does the tool support bulk parsing multiple Set-Cookie headers? Will cookie content be uploaded to servers?

Bulk parsing is supported. The input area supports pasting any number of multi-line Set-Cookie headers (such as pasting an entire response header block at once). Each Set-Cookie is parsed with independent numbering, with multiple attribute cards showing their respective attributes and warnings. All parsing happens entirely locally in your browser (pure frontend JavaScript processing). Cookie content is never uploaded to any server, no network requests are made, and sensitive information like sessions/tokens you paste never leaves your computer — use with confidence.

术语表

Set-Cookie
HTTP response header through which the server instructs the browser to store cookies; can appear multiple times in a single response.
Cookie (Request Header)
HTTP request header containing a list of in-scope cookie name-value pairs automatically attached by the browser, without attributes.
HttpOnly
Cookie attribute flag. When set, JavaScript cannot read the cookie via document.cookie, primarily defending against XSS session theft.
Secure
Cookie attribute flag. When set, the browser only sends this cookie over encrypted HTTPS (or localhost) connections.
SameSite
Cookie attribute controlling whether cookies are sent on cross-site requests; values are Strict/Lax/None. Defaults to Lax in Chrome 80+.
Max-Age
Cookie attribute specifying cookie lifetime in seconds. Takes priority over Expires; recommended. =0 means immediate deletion.
Expires
Cookie attribute specifying an absolute expiration time point (HTTP-date), dependent on the client clock.
Path
Cookie attribute restricting the URL path prefix where the cookie is active; defaults to the directory portion of the response URL.
Domain
Cookie attribute restricting the domain where the cookie is active. If not set, limited to current host; if set, applies to subdomains.
Partitioned (CHIPS)
Cookie attribute flag enabling partitioned third-party cookie storage; the replacement approach as Chrome phases out third-party cookies, must be paired with Secure.
__Host- Prefix
Cookie name prefix security constraint. Requires Secure, Path=/, no Domain attribute; browsers reject storage if violated.
__Secure- Prefix
Cookie name prefix security constraint. Requires Secure to be set; browsers reject storage if violated.
Session Cookie
A cookie without Max-Age or Expires set; automatically deleted when the browser closes.
Third-party Cookie
A cookie set under a domain other than the currently visited page, typically by ads, analytics, embedded iframes, and other third-party services; being increasingly restricted across browsers.

SameSite Three-Strategy Quick Reference Comparison

Complete Set-Cookie Attribute Reference (RFC 6265bis)

Common Browser Set-Cookie Size and Count Limits

Troubleshooting