Cookie Domain/Path Matcher
Diagnose “cookie stored but not sent” issues by checking Domain, Path, and Secure matching rules entirely in-browser.
Status
Runs in your browser. No input is sent to a server. Useful for first-pass Domain/Path/Secure troubleshooting.
How to use
Enter request URL, provide Set-Cookie or Domain/Path/Secure, then click “Match”. Review OK/NG per condition.
Notes (this tool)
- SameSite and browser third-party restrictions are out of scope for this matcher.
About this page
What does this tool do?
Compares request URL with cookie rules (Domain/Path/Secure) and tells whether the cookie should be sent.
You can paste a Set-Cookie line directly, or manually enter Domain/Path for rule-by-rule verification.
Typical use cases
- Cookie is not sent on the next request after login
- Sessions became unstable after subdomain migration
- Auth is lost on some paths after changing cookie Path
Key matching logic
- No Domain means host-only cookie and requires exact host match
- Domain attribute uses suffix matching (example.com and subdomains)
- Path uses prefix matching (/app matches /app/*)
- Secure cookies are sent only over HTTPS requests
What this tool does
- Check match/mismatch between URL and cookie rules
- Extract Domain/Path/Secure from Set-Cookie lines
- Show mismatch reasons separately for Domain/Path/Secure
Debugging workflow (recommended)
- Enter target URL and paste Set-Cookie line
- Identify which condition failed (Domain/Path/Secure)
- Re-check full attributes with Set-Cookie Inspect / Cookie Security Audit
Operational notes
- This tool focuses on Domain/Path/Secure only. Check SameSite and browser third-party restrictions separately.
- Default Path depends on the URL that issued the cookie. Providing source URL improves estimation accuracy.
Referenced specs
- RFC 6265 (Domain Matching / Path Matching)
- RFC 6265 (Secure attribute)
FAQ
Do I need `.example.com` as Domain?
Leading dot has little practical difference today. What matters is host-only versus explicit Domain attribute.
Is Path=`/` always safer?
It broadens send scope and may be excessive. Use the minimal path scope required by your app.
References
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- Set-Cookie Inspect — Parse Set-Cookie attributes and review delivery policy
- SameSite Cookie Simulator — Simulate cookie send behavior from SameSite and request context
- Set-Cookie Conflict Checker — Detect same-name cookie conflicts and overwrite risks
- Cookie Security Audit — Audit Secure/HttpOnly/SameSite settings
- Cookie Size Checker — Estimate Cookie header size and check limit risks
- Cookie Parser — Split Cookie headers into key=value pairs
- How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
- How to Diagnose Same-Name Cookie Collisions — Resolve unstable behavior by tracing same-name cookie path/domain variants, overwrite order, and send collisions
Same-theme links
Response Header Diagnostics
Step through raw headers to inspect Retry-After, Server-Timing, Link, and Content-Type
- HTTP Header Parser — Parse raw headers into structured lists
- Response Headers Parser — Parse response headers into structured data
- Set-Cookie Inspect — Parse Set-Cookie attributes and review delivery policy
- SameSite Cookie Simulator — Simulate cookie send behavior from SameSite and request context
- Set-Cookie Conflict Checker — Detect same-name cookie conflicts and overwrite risks
- Cookie Size Checker — Estimate Cookie header size and check limit risks
- Retry-After Inspect — Parse Retry-After and inspect retry wait behavior
- Server-Timing Inspect — Parse Server-Timing and inspect latency metrics
- Link Header Inspect — Parse Link headers and inspect rel/as/type
- Content-Type Inspect — Parse Content-Type and inspect MIME/charset
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
- HTTP Status Inspect — Analyze HTTP status codes and suggest handling direction
Example
Request URL: https://app.example.com/app/dashboard Set-Cookie: sid=abc; Domain=example.com; Path=/app; Secure