Set-Cookie & Cookie Header Parser
Paste a raw Set-Cookie or Cookie header and see every attribute, expiry, and security warning broken out in your browser.
The Set-Cookie Parser runs entirely in your browser. The cookie headers, values, and any tokens they contain are parsed on your device and are never uploaded to ArrayKit.
Open the HAR Viewer
About Set-Cookie Parser
The Set-Cookie Parser takes a raw Set-Cookie response header — or a whole stack of them — and breaks each cookie into a readable table: name, URL-decoded value, Domain, Path, Expires with a friendly relative time, Max-Age, and the Secure, HttpOnly, SameSite, Priority, and Partitioned flags. It flags the mistakes that quietly break cookies, like SameSite=None without Secure, an already-expired date, or a __Host- prefix that violates its rules, and tells you whether each cookie is a session or a persistent one. Paste a Cookie request header instead and it lists every name and value being sent. Everything is parsed locally in your browser, so the headers you inspect never leave your device.
Features
- Breaks each Set-Cookie header into its name, value, and every attribute
- URL-decodes the cookie value and copies the raw name=value on demand
- Parses Expires into an absolute date plus a relative "in 2 hours" label
- Resolves Max-Age against the current time to show the real expiry moment
- Warns on SameSite=None without Secure, expired dates, and Max-Age of zero
- Checks __Host- and __Secure- name-prefix rules and the Partitioned flag
- Switches to a Cookie request-header mode that lists every name/value pair
- Parses one or many Set-Cookie lines at once, entirely in your browser
How to use the Set-Cookie Parser
- Copy a Set-Cookie header from your browser's Network panel or a server response
- Paste it into the box — add more Set-Cookie lines, one per line, if you have several
- Read the per-cookie table for attributes, expiry, and any highlighted warnings
- Switch to Cookie header mode to inspect a request's Cookie: line instead
Example
Input
Set-Cookie: track=1; Domain=.example.com; SameSite=None
Output
track = 1 | Domain=.example.com | SameSite=None | Session
⚠ SameSite=None requires the Secure attribute — browsers will reject this cookie.
A SameSite=None cookie without Secure is flagged the moment you paste it.
Common errors & troubleshooting
- Several Set-Cookie headers were pasted but only the first one parsed. — Put each Set-Cookie header on its own line. Do not join them with commas — a valid Expires value already contains a comma, so comma-joining corrupts the date.
- Expires shows "could not be parsed as an HTTP date." — Use the standard HTTP-date format, e.g. Expires=Wed, 21 Oct 2025 07:28:00 GMT. A malformed or non-GMT date cannot be read reliably.
- A Cookie request header was read as one Set-Cookie with odd attributes. — Switch to the Cookie header tab, or prefix the line with "Cookie:" so it is treated as a request header of name=value pairs.
- The value looks percent-encoded, like dark%20mode. — The parser URL-decodes the value for display (dark mode) while the Copy button still yields the exact raw name=value from the header.
Frequently asked questions
- What does the Set-Cookie parser show for each cookie?
- For every Set-Cookie header it lists the name, the URL-decoded value, and each attribute it finds — Domain, Path, Expires (with a relative time), Max-Age, Secure, HttpOnly, SameSite, Priority, and Partitioned — plus warnings for anything that looks broken.
- Why does SameSite=None require the Secure attribute?
- Modern browsers only accept a cross-site cookie (SameSite=None) when it is also marked Secure, so it can only travel over HTTPS. If Secure is missing the browser rejects the cookie, and the parser flags that combination with a warning.
- What is the difference between Max-Age and Expires on a cookie?
- Expires sets an absolute date; Max-Age sets a lifetime in seconds from when the cookie is received. When both are present Max-Age wins, so the tool resolves Max-Age against the current time and notes that it takes precedence over Expires.
- What do the __Host- and __Secure- cookie name prefixes mean?
- They are security prefixes browsers enforce. A __Secure- cookie must set Secure; a __Host- cookie must set Secure, omit Domain, and use Path=/. The parser checks these rules and warns when a cookie's name promises guarantees its attributes do not keep.
- Can this tool also parse a Cookie request header?
- Yes. Switch to Cookie header mode and paste a Cookie: line (or a bare "a=1; b=2" string) to get a table of every cookie name and value the request sends, each URL-decoded and copyable.
- What is a session cookie versus a persistent cookie here?
- A cookie with no Expires and no Max-Age is a session cookie — it is cleared when the browser closes. Anything with an Expires date or Max-Age is persistent. The parser labels each cookie Session or Persistent so you can tell at a glance.
Related tools
- User Agent Parser — Parse a User-Agent string into browser, engine, operating system and device, in your browser.
- URL Parser — Break a URL into its parts and list query parameters.
- HAR File Viewer — Open a HAR file and inspect the request waterfall, headers, timings and sizes, in your browser.
- HTTP Status & MIME Types — Searchable reference of HTTP status codes and MIME content types.
- URL Builder & UTM Generator — Construct and validate fully encoded production URLs with standard analytics query flags (UTM) or custom query arrays.
- IPv6 ↔ IPv4 Converter — Convert between IPv4 and IPv6 (mapped/expanded/compressed) and extract embedded IPv4.
All ArrayKit tools