Set-Cookie & Cookie Header Parser

Paste a raw Set-Cookie or Cookie header and see every attribute, expiry, and security warning broken out in your browser.

The Set-Cookie Parser runs entirely in your browser. The cookie headers, values, and any tokens they contain are parsed on your device and are never uploaded to ArrayKit.

Open the HAR Viewer

About Set-Cookie Parser

The Set-Cookie Parser takes a raw Set-Cookie response header — or a whole stack of them — and breaks each cookie into a readable table: name, URL-decoded value, Domain, Path, Expires with a friendly relative time, Max-Age, and the Secure, HttpOnly, SameSite, Priority, and Partitioned flags. It flags the mistakes that quietly break cookies, like SameSite=None without Secure, an already-expired date, or a __Host- prefix that violates its rules, and tells you whether each cookie is a session or a persistent one. Paste a Cookie request header instead and it lists every name and value being sent. Everything is parsed locally in your browser, so the headers you inspect never leave your device.

Features

How to use the Set-Cookie Parser

  1. Copy a Set-Cookie header from your browser's Network panel or a server response
  2. Paste it into the box — add more Set-Cookie lines, one per line, if you have several
  3. Read the per-cookie table for attributes, expiry, and any highlighted warnings
  4. Switch to Cookie header mode to inspect a request's Cookie: line instead

Example

Input

Set-Cookie: track=1; Domain=.example.com; SameSite=None

Output

track = 1 | Domain=.example.com | SameSite=None | Session
⚠ SameSite=None requires the Secure attribute — browsers will reject this cookie.

A SameSite=None cookie without Secure is flagged the moment you paste it.

Common errors & troubleshooting

Frequently asked questions

What does the Set-Cookie parser show for each cookie?
For every Set-Cookie header it lists the name, the URL-decoded value, and each attribute it finds — Domain, Path, Expires (with a relative time), Max-Age, Secure, HttpOnly, SameSite, Priority, and Partitioned — plus warnings for anything that looks broken.
Why does SameSite=None require the Secure attribute?
Modern browsers only accept a cross-site cookie (SameSite=None) when it is also marked Secure, so it can only travel over HTTPS. If Secure is missing the browser rejects the cookie, and the parser flags that combination with a warning.
What is the difference between Max-Age and Expires on a cookie?
Expires sets an absolute date; Max-Age sets a lifetime in seconds from when the cookie is received. When both are present Max-Age wins, so the tool resolves Max-Age against the current time and notes that it takes precedence over Expires.
What do the __Host- and __Secure- cookie name prefixes mean?
They are security prefixes browsers enforce. A __Secure- cookie must set Secure; a __Host- cookie must set Secure, omit Domain, and use Path=/. The parser checks these rules and warns when a cookie's name promises guarantees its attributes do not keep.
Can this tool also parse a Cookie request header?
Yes. Switch to Cookie header mode and paste a Cookie: line (or a bare "a=1; b=2" string) to get a table of every cookie name and value the request sends, each URL-decoded and copyable.
What is a session cookie versus a persistent cookie here?
A cookie with no Expires and no Max-Age is a session cookie — it is cleared when the browser closes. Anything with an Expires date or Max-Age is persistent. The parser labels each cookie Session or Persistent so you can tell at a glance.

Related tools

All ArrayKit tools