Set-Cookie Inspect

Inspect Cookie / Set-Cookie attributes and consistency in your browser. No input is sent to a server. Use it for first-pass operational troubleshooting.

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste Set-Cookie or Response Headers and click “Parse”. It summarizes attributes and checks.

Notes (this tool)

  • Accepts Set-Cookie: header lines (multi-line paste is OK).
  • Values are shown; do not paste sensitive production secrets.

About this page

What does this tool do?

Split Set-Cookie into Domain/Path/Expires/Max-Age/SameSite/Secure/HttpOnly and list them clearly.

Useful for diagnosing why cookies are not sent/stored and for checking security settings.

Basics (Set-Cookie vs Cookie)

  • Set-Cookie tells the browser which cookie to store (response header).
  • Cookie is the request header carrying stored cookies.
  • One Set-Cookie line equals one cookie; multiple lines mean multiple cookies.

Key attributes (quick)

  • Domain/Path: scope where the cookie is sent
  • Expires/Max-Age: lifetime (Max-Age takes precedence)
  • Secure: send only over HTTPS
  • HttpOnly: not accessible from JS
  • SameSite: controls cross-site sending

SameSite and Secure

When using SameSite=None, Secure is generally required (browser convention).

For cross-site login or embeds, SameSite configuration is critical.

Cookie Prefixes (__Host- / __Secure-)

  • __Secure- requires Secure.
  • __Host- requires Secure + Path=/ + no Domain.
  • Prefix violations may be ignored by browsers.

Common pitfalls

  • SameSite=None without Secure → cookie not stored
  • Domain/Path mismatch prevents cookies from being sent
  • Incorrect Expires/Max-Age causes immediate expiration
  • Partial overrides among multiple Set-Cookie lines (name/path differences)

Debugging workflow (recommended)

  • Extract Set-Cookie via Response Headers Parser
  • Summarize attributes and checks with this tool
  • Use Cookie Inspect to review request-side cookies
  • Cookie Inspect
  • Set-Cookie Builder
  • Response Headers Parser
  • Request Headers Parser

What this tool does

  • Parse Set-Cookie attributes and list them
  • Check SameSite/Secure/HttpOnly
  • Handle multiple Set-Cookie lines

Operational notes

  • Behavior can vary with browser implementation differences and default changes.
  • Duplicate cookie names and Path or Domain differences often cause operational issues.

Referenced specs

  • RFC 6265 (HTTP Cookies)
  • RFC 6265bis (Cookie Prefix/SameSite)
  • MDN: Set-Cookie

FAQ

SameSite=None not stored

Secure is required. Also ensure the response is delivered over HTTPS.

Which takes precedence: Max-Age or Expires?

Max-Age generally takes precedence. Be careful when both are present.

What if there are multiple Set-Cookie lines?

Each line is a separate cookie. Same name can still be distinct by Path/Domain.

References

  1. RFC 6265
  2. RFC 6265bis Draft
  3. MDN: Set-Cookie
  4. MDN: Cookie
  5. MDN: SameSite

These links are generated from site_map rules in recommended diagnostic order.

  1. Cookie Domain/Path Matcher — Evaluate cookie send conditions by Domain/Path/Secure
  2. SameSite Cookie Simulator — Simulate cookie send behavior from SameSite and request context
  3. Set-Cookie Conflict Checker — Detect same-name cookie conflicts and overwrite risks
  4. Cookie Security Audit — Audit Secure/HttpOnly/SameSite settings
  5. Cookie Size Checker — Estimate Cookie header size and check limit risks
  6. How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
  7. How to Diagnose Lost Login After OAuth Return — Isolate cookie-delivery failures after IdP return across SameSite, Secure, Path/Domain, and collisions
  8. How to Diagnose Same-Name Cookie Collisions — Resolve unstable behavior by tracing same-name cookie path/domain variants, overwrite order, and send collisions

Response Header Diagnostics

Step through raw headers to inspect Retry-After, Server-Timing, Link, and Content-Type