ToolBelt

Set-Cookie Parser

Parse a Set-Cookie header into structured fields.

Open tool

Overview

The Set-Cookie parser breaks a Set-Cookie: header into its structured fields: name, value, domain, path, expires, max-age, secure, httponly, samesite, and partitioned. Paste a single header (or several) and each attribute is shown on its own row with a note on what it does and whether the combination is safe.

Web developers debugging session loss between subdomains, security engineers reviewing third-party cookie usage, and support staff investigating "my login keeps logging out" all need a Set-Cookie inspector. Long-tail keywords covered: parse Set-Cookie header online, what does SameSite=None do, and check cookie Secure and HttpOnly flags.

How it works

Set-Cookie is defined in RFC 6265 (with newer SameSite and Partitioned attributes added by the IETF httpbis working group). The header starts with name=value and continues with semicolon-separated attributes. The mandatory pair must come first; attributes are optional and case-insensitive. Common attributes are Domain (which hosts may send it), Path (which URL prefix triggers it), Expires / Max-Age (lifetime), Secure (HTTPS only), HttpOnly (no JavaScript access), and SameSite (Strict, Lax, or None).

SameSite=None requires Secure and is increasingly required for any cookie sent on a cross-site request. Partitioned (CHIPS) further isolates third-party cookies by top-level site, eliminating cross-site tracking through cookies entirely.

Examples

  • Set-Cookie: session=abc; Path=/; Secure; HttpOnly; SameSite=Strict — the canonical hardened session cookie.
  • Set-Cookie: tracking=xyz; Domain=.example.com; Secure; SameSite=None — a cookie that needs to survive cross-site context.
  • Set-Cookie: theme=dark; Max-Age=31536000; SameSite=Lax — a one-year preference cookie, the everyday default.
  • Set-Cookie: cart=42; Path=/shop; Expires=Wed, 31 Dec 2026 23:59:59 GMT — a path-scoped cookie with absolute expiry.

FAQ

What is the difference between Expires and Max-Age?

Expires is an absolute HTTP date. Max-Age is seconds from now. If both are present, Max-Age wins. A session cookie omits both and is deleted when the browser closes.

Why does SameSite=None require Secure?

Because cross-site cookies are particularly exposed to network attackers. Browsers reject SameSite=None over plain HTTP.

What does Partitioned do?

CHIPS (Cookies Having Independent Partitioned State) gives a third-party cookie a per-site key, so the same iframe on siteA.com and siteB.com sees different cookies. Useful for embedded widgets that need state but should not track across sites.

Can I scope a cookie to a single subdomain?

Yes — omit the Domain attribute. With no Domain, the cookie defaults to the exact host that set it. Setting Domain=.example.com widens it to all subdomains.

Try Set-Cookie Parser

An unhandled error has occurred. Reload ×