OpenReplay Logo
12k

Cookie parser

Parse Cookie and Set-Cookie headers in your browser — decode values, read attributes, and catch config mistakes. Nothing leaves your machine.

Processed locally
Cookies
Paste a Cookie header above to list every cookie with its decoded value and byte size.

About this tool

A cookie parser breaks an HTTP cookie string into its parts. A request "Cookie" header (the same string you get from document.cookie) is a flat "name=value; name=value" list, while each "Set-Cookie" response header carries one cookie plus its attributes: Domain, Path, Expires, Max-Age, Secure, HttpOnly, SameSite, Partitioned, and Priority. This tool reads both: it splits on the right delimiters, URL-decodes and unquotes values (which may themselves contain "="), reports each cookie's byte size against the ~4096-byte browser limit, and resolves Expires and Max-Age into human-readable dates and countdowns.

Use it to debug why a cookie isn't being set or sent — paste a Set-Cookie line and the tool flags the classic mistakes: SameSite=None without Secure, a missing Expires/Max-Age that quietly makes it a session cookie, an oversized payload, or a legacy leading-dot Domain. Or paste a Cookie header to inventory exactly what a request is carrying, copy it as JSON for a test fixture, or spot a bloated cookie that's slowing requests. "Load my cookies" pulls in document.cookie for this page so you can inspect your own non-HttpOnly cookies on the spot.

Everything is parsed locally in your browser — no header, value, or cookie is ever sent to a server, and HttpOnly cookies are intentionally invisible to document.cookie, so they won't appear under \"Load my cookies\".

Frequently asked questions

What's the difference between the Cookie and Set-Cookie headers?

The Cookie header is sent by the browser to the server as a single line of "name=value" pairs separated by semicolons, with no attributes. Set-Cookie goes the other way — one header per cookie in the response — and carries attributes like Domain, Path, Expires, Max-Age, Secure, and SameSite that tell the browser how to store and send it.

Does Max-Age or Expires win when both are set?

Max-Age takes precedence. If a Set-Cookie header includes both, browsers that support Max-Age use it and ignore Expires; Max-Age is a lifetime in seconds, while Expires is an absolute date. A Max-Age of 0 or a negative value deletes the cookie immediately.

Why is my SameSite=None cookie being rejected?

Browsers require the Secure attribute whenever SameSite=None is used, so the cookie is only sent over HTTPS. A Set-Cookie with SameSite=None but no Secure flag is dropped — add Secure (and serve over HTTPS) to fix it.