Last updated
Cookie Parser Examples
The Cookie Parser breaks down raw cookie strings into their individual components, explaining each attribute and flagging security issues. Below are examples of parsed cookies and what the output looks like.
Parsing a Session Cookie Header
Input (raw Set-Cookie header):
Set-Cookie: sessionId=abc123xyz; Path=/; Secure; HttpOnly; SameSite=Lax; Max-Age=3600Parsed output:
Name: sessionId
Value: abc123xyz
Attributes:
Path: /
Max-Age: 3600 (expires in 1 hour)
Secure: ✓ Yes — only sent over HTTPS
HttpOnly: ✓ Yes — not accessible via JavaScript
SameSite: Lax — sent on top-level navigation, blocked on cross-site sub-requests
Security Assessment: GOOD
✓ Secure flag present
✓ HttpOnly flag present
✓ SameSite policy setParsing a Cookie with Security Issues
Input:
Set-Cookie: userToken=eyJhbGciOiJIUzI1NiJ9.abc.xyz; Path=/; Expires=Thu, 01 Jan 2026 00:00:00 GMTParsed output:
Name: userToken
Value: eyJhbGciOiJIUzI1NiJ9.abc.xyz (looks like a JWT token)
Decoded: { "alg": "HS256" } . { ... } . [signature]
Attributes:
Path: /
Expires: Thu, 01 Jan 2026 00:00:00 GMT (expires in ~9 months)
Security Assessment: WARNINGS
✗ Missing Secure flag — cookie will be sent over HTTP (plaintext)
✗ Missing HttpOnly flag — accessible via JavaScript (XSS risk)
✗ Missing SameSite attribute — defaults to browser behavior (CSRF risk)Parsing a document.cookie String
Input (from browser console):
theme=dark; lang=en-US; sessionId=abc123; _ga=GA1.2.123456789.1700000000Parsed output (multiple cookies):
Cookie 1:
Name: theme
Value: dark
Cookie 2:
Name: lang
Value: en-US
Cookie 3:
Name: sessionId
Value: abc123
Cookie 4:
Name: _ga
Value: GA1.2.123456789.1700000000
Note: Google Analytics tracking cookieParsing a Cookie with URL-Encoded Value
Input:
Set-Cookie: redirect=%2Fdashboard%2Fsettings%3Ftab%3Dprofile; Path=/; SameSite=LaxParsed output:
Name: redirect
Raw Value: %2Fdashboard%2Fsettings%3Ftab%3Dprofile
Decoded Value: /dashboard/settings?tab=profile
Attributes:
Path: /
SameSite: LaxParsing a SameSite=None Cookie
Input:
Set-Cookie: widgetToken=tok_abc; Path=/; Secure; SameSite=None; Max-Age=86400Parsed output:
Name: widgetToken
Value: tok_abc
Attributes:
Path: /
Max-Age: 86400 (expires in 24 hours)
Secure: ✓ Yes
SameSite: None — sent with all cross-site requests
Note: SameSite=None requires Secure. Secure is present — valid configuration.
Use case: Embedded widgets, cross-origin iframes, third-party integrations.Parsing an Expired Cookie
Input:
Set-Cookie: oldSession=xyz; Expires=Mon, 01 Jan 2024 00:00:00 GMT; Path=/Parsed output:
Name: oldSession
Value: xyz
Attributes:
Path: /
Expires: Mon, 01 Jan 2024 00:00:00 GMT
Status: EXPIRED — this cookie expired 2 years ago.
Setting this cookie will immediately delete it from the browser.Security Audit Checklist
The parser evaluates each cookie against these security criteria:
- Secure flag — required for any cookie containing sensitive data
- HttpOnly flag — required for session and auth cookies to prevent XSS theft
- SameSite attribute — should be Strict or Lax for most cookies
- Expiration — session cookies should not have long-lived expiry
- Domain scope — avoid overly broad domain settings
- Path scope — restrict to the minimum necessary path
Common Use Cases
- Debugging authentication and session cookie issues
- Auditing cookie security attributes in web applications
- Understanding cookies set by third-party scripts
- Comparing cookies across development and production environments
- Building GDPR/CCPA cookie consent disclosures
- Learning about cookie security attributes and their effects
Paste any raw Set-Cookie header or document.cookie string to instantly see a structured breakdown with security assessment and attribute explanations.