T
DataToolings

HTTP Cookie Parser

Parse Set-Cookie and Cookie headers into structured fields, or build a Set-Cookie header from attributes.

What Are HTTP Cookies?

HTTP cookies are small pieces of data sent from a server via the Set-Cookie response header and returned by the browser in subsequent requests via the Cookie header. They store session tokens, user preferences, tracking IDs, and more. This tool lets you parse both header types into structured fields, and build a Set-Cookie header from a form.

How to Use

  • Parse Set-Cookie: paste a full Set-Cookie header value to see all attributes broken out
  • Parse Cookie: paste a Cookie request header to see all name=value pairs
  • Build Set-Cookie: fill in the form fields to generate a valid Set-Cookie header string
  • Use the Load Sample button to see an example in each mode

Cookie Attributes Explained

  • Path: limits the cookie to requests matching this path prefix
  • Domain: specifies which domains can receive the cookie; subdomains are included if prefixed with a dot
  • Expires / Max-Age: controls cookie lifetime; Max-Age (seconds) takes precedence over Expires
  • SameSite: Strict (same site only), Lax (top-level navigation), or None (cross-site, requires Secure)
  • Secure: cookie is only sent over HTTPS
  • HttpOnly: JavaScript cannot access the cookie via document.cookie
  • Partitioned: CHIPS — cookie is partitioned by top-level site (for third-party embeds)

FAQ

What is the difference between Set-Cookie and Cookie headers?

Set-Cookie is a response header — the server sends it to set a cookie in the browser. Cookie is a request header — the browser sends it back to the server with every matching request. A single Cookie header can contain many name=value pairs separated by semicolons.

When should I use SameSite=Strict vs Lax vs None?

Use Strict for sensitive operations (banking, admin) where cross-site requests must never carry the cookie. Use Lax (the browser default since 2020) for most session cookies — it allows top-level GET navigations. Use Noneonly for third-party embeds, and always pair it with Secure.

What does HttpOnly protect against?

HttpOnly prevents JavaScript (including XSS payloads) from reading the cookie viadocument.cookie. Always set HttpOnly on session tokens and authentication cookies.

What is the Partitioned attribute?

Partitioned (CHIPS — Cookies Having Independent Partitioned State) partitions a third-party cookie by the top-level site. This preserves functionality of embedded widgets while isolating them from cross-site tracking, making them compatible with future third-party cookie deprecation.