Cookie Generator Free Online Tool 2026

Last updated March 22, 2026

Cookie Generator Examples

The Cookie Generator creates properly formatted HTTP Set-Cookie headers and JavaScript document.cookie strings. Below are examples for common cookie configurations with security attributes explained.

Session Cookie (HttpOnly + Secure)

A secure session cookie that expires when the browser closes:

Set-Cookie: sessionId=abc123xyz; Path=/; Secure; HttpOnly; SameSite=Lax

JavaScript equivalent (note: HttpOnly cookies cannot be set via JS — use server-side only):

// Server-side (Node.js / Express)
res.cookie('sessionId', 'abc123xyz', {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  path: '/'
});

Persistent Authentication Cookie

A "remember me" cookie that persists for 30 days:

Set-Cookie: authToken=eyJhbGciOiJIUzI1NiJ9...; 
  Max-Age=2592000; 
  Path=/; 
  Domain=example.com; 
  Secure; 
  HttpOnly; 
  SameSite=Strict

• Max-Age=2592000 — 30 days in seconds
• SameSite=Strict — never sent with cross-site requests
• HttpOnly — not accessible via JavaScript (XSS protection)
• Secure — only sent over HTTPS

User Preference Cookie (Non-HttpOnly)

A preference cookie that JavaScript needs to read:

Set-Cookie: theme=dark; Max-Age=31536000; Path=/; SameSite=Lax

Setting via JavaScript:

// Set theme preference cookie (1 year)
document.cookie = "theme=dark; max-age=31536000; path=/; samesite=lax";

Reading via JavaScript:

function getCookie(name) {
  const match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)'));
  return match ? match[2] : null;
}

const theme = getCookie('theme'); // "dark"

Cross-Site Cookie (SameSite=None)

Required for cookies used in iframes or cross-origin requests (e.g., embedded widgets):

Set-Cookie: widgetSession=tok_xyz; 
  Max-Age=3600; 
  Path=/; 
  Secure; 
  SameSite=None

Note: SameSite=None requires the Secure attribute — it will be rejected without it.

Path-Restricted Cookie

Cookie only sent for requests to the /admin path:

Set-Cookie: adminToken=secret123; Path=/admin; Secure; HttpOnly; SameSite=Strict

Domain-Scoped Cookie (Subdomains)

Cookie shared across all subdomains of example.com:

Set-Cookie: ssoToken=abc; Domain=.example.com; Path=/; Secure; HttpOnly; SameSite=Lax

This cookie will be sent to app.example.com, api.example.com, and example.com.

Cookie with Expiry Date

Using Expires instead of Max-Age:

Set-Cookie: promoSeen=1; 
  Expires=Fri, 31 Dec 2025 23:59:59 GMT; 
  Path=/; 
  SameSite=Lax

Deleting a Cookie

Set Max-Age=0 or an expired date to delete a cookie:

Set-Cookie: sessionId=; Max-Age=0; Path=/; Secure; HttpOnly

Via JavaScript:

document.cookie = "theme=; max-age=0; path=/";

Security Attribute Summary

• Secure — only transmit over HTTPS; always use for auth/session cookies
• HttpOnly — block JavaScript access; prevents XSS cookie theft
• SameSite=Strict — never sent cross-site; strongest CSRF protection
• SameSite=Lax — sent on top-level navigation; good default for most cookies
• SameSite=None — sent cross-site; requires Secure; use for embeds/widgets

Common Use Cases

• Generating session cookies for authentication systems
• Creating remember-me persistent login cookies
• Setting user preference cookies (theme, language, layout)
• Building cross-origin cookies for embedded widgets
• Testing cookie behavior in different browser security contexts
• Auditing cookie security attributes in existing applications

Use the generator to configure each attribute through a visual interface and get the correctly formatted Set-Cookie header or JavaScript string ready to use in your application.