OnSumo Tools

HTTP Cookie Decoder

This tool parses and decodes browser cookie strings directly in your browser. Paste a raw Cookie request header or a Set-Cookie response header, and the tool displays each cookie's name, value, and all attributes (domain, path, expiration, HttpOnly, Secure, SameSite) in a readable table. No data is sent to a server. Your session cookies, authentication tokens, and tracking values stay on your device. The tool is free, requires no account, and works offline after the page loads.

Cookie strings are parsed in your browser only. Nothing is uploaded or stored on a server. Avoid pasting live session tokens on shared machines.

How this tool works

The cookie decoder parses the raw value of a Set-Cookie HTTP response header and displays each attribute in plain language. A full Set-Cookie header looks like: Set-Cookie: session_id=abc123; Path=/; Domain=.example.com; Expires=Thu, 01 Jan 2026 00:00:00 GMT; Secure; HttpOnly; SameSite=Lax. The tool splits the cookie name-value pair from the directive attributes and explains each: Path restricts which URL paths the cookie is sent to; Domain controls which hostnames receive the cookie (a leading dot includes all subdomains); Expires and Max-Age set the cookie lifetime (a session cookie with no expiry is deleted when the browser closes); Secure requires an HTTPS connection before transmitting; HttpOnly blocks JavaScript access via document.cookie; SameSite controls cross-site request behavior (Strict blocks all cross-site sends, Lax allows top-level navigation, None allows all but requires Secure). Key assumption: the tool parses the header value you paste and does not fetch cookies from a live URL. Export raw Set-Cookie headers from your browser's DevTools Network tab. Edge case: cookies missing the Secure flag are transmitted in plain text over HTTP connections and can be intercepted on unencrypted networks. The tool highlights absent Secure and HttpOnly flags as security warnings because their absence is the most frequent root cause of session-hijacking vulnerabilities in web applications.

Worked example

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict shows all security checks as pass. SameSite=None without Secure is flagged as fail. A value of dGVzdA== also shows a Base64 decode of "test".

Related tools

Frequently asked questions

  • What is the difference between Expires and Max-Age?

    Both control when a cookie expires. Expires sets an absolute date and time. Max-Age sets a duration in seconds from the current time. When both are present, Max-Age takes precedence in modern browsers. Expires is a legacy attribute still used for compatibility with older clients. The decoder shows both and notes which one takes precedence.

  • What does HttpOnly mean?

    HttpOnly prevents JavaScript running on the page from reading the cookie via document.cookie. It does not affect how the browser sends the cookie in HTTP requests. It is a security measure that protects session cookies from being stolen by cross-site scripting (XSS) attacks. Any cookie that stores a session ID or authentication token should have HttpOnly set.

  • What does SameSite do?

    SameSite controls whether the browser sends the cookie with cross-site requests. Strict means the cookie is only sent when navigating to the cookie's domain from that same domain. Lax (the default in modern browsers if not specified) allows the cookie to be sent on top-level navigations (like clicking a link) but not on embedded cross-site requests. None allows the cookie to be sent with all cross-site requests and requires Secure to be set.

  • What is a session cookie vs. a persistent cookie?

    A session cookie has no Expires or Max-Age attribute. The browser deletes it when the browser session ends (when the browser is closed). A persistent cookie has an Expires or Max-Age attribute and is stored on disk until the expiration time.

  • Can I decode a cookie value that looks like a JWT?

    Yes. If the cookie value is a JWT (three base64url-encoded segments separated by dots), the decoder recognizes the format and offers to expand it. Click the JWT expand option to see the decoded header and payload inline. For full JWT inspection, use the JWT Decoder.

  • What does Secure mean on a cookie?

    Secure means the browser only sends this cookie over HTTPS connections. It does not encrypt the cookie value. On a plain HTTP connection, the browser will not attach the cookie to the request even if it is present. Any cookie containing sensitive data should have Secure set.