ZeroTool Workbench

Cookie String Parser

Parse Cookie header strings into a structured name/value table. Identifies flags (HttpOnly, Secure, SameSite, Path, Domain, Expires, Max-Age). URL decode toggle. Copy as JSON. Free, 100% client-side.

100% Client-Side Your data never leaves your browser Free · No Sign-Up

Related Tools

URL Parser Parse any URL into its components: protocol, host, port, path, query parameters, and hash. Instant browser-native parsing. JWT Decoder Decode and inspect JWT header, payload, and signature. Highlights expiry status and timestamp claims. Env File Parser Parse .env files online — visualize key-value pairs, detect errors, and export to JSON. 100% client-side. UUID Generator Generate v4 UUIDs instantly — single or batch. Color Converter Convert colors between HEX, RGB, and HSL formats with a live color preview. Regex Tester Test regular expressions in real time with match highlighting and capture group details.

How to Use

  1. Paste a raw Cookie header string (e.g. from browser DevTools) into the text area.
  2. Click Parse to display all cookies in a table with Name, Value, and Flags columns.
  3. Toggle URL Decode values to control whether percent-encoded characters are decoded.
  4. Switch to the JSON tab to see the cookies as a formatted JSON object.
  5. Click Copy JSON to copy the JSON object to your clipboard.

Example Input

session=abc123; user=admin; theme=dark; Path=/; HttpOnly; Secure; SameSite=Lax

The parser will show session, user, and theme as cookie rows, with Path=/, HttpOnly, Secure, and SameSite=Lax displayed as flags.

URL Encoding Example

q=hello%20world; token=abc%3D123

With URL Decode enabled: qhello world, tokenabc=123. With it disabled, the raw encoded strings are shown.

Common Cookie Flags

  • HttpOnly — prevents JavaScript from accessing the cookie via document.cookie, reducing XSS risk.
  • Secure — cookie is only sent over HTTPS connections.
  • SameSite — controls cross-site cookie sending (Strict, Lax, or None).
  • Path — limits the cookie to a specific URL path on the server.
  • Domain — specifies which domains the cookie is sent to.
  • Expires — sets an absolute expiry date for the cookie.
  • Max-Age — sets a relative expiry in seconds from now.

FAQ

What Cookie format is supported?

Standard HTTP Cookie header format: semicolon-separated name=value pairs, e.g. session=abc123; user=admin; theme=dark. The tool handles optional spaces around semicolons and equals signs.

What are Cookie flags?

Flags are attributes that appear after the key=value pairs in a Set-Cookie header, like HttpOnly, Secure, SameSite=Lax, Path=/, Domain=example.com, Expires=..., or Max-Age=3600. They control cookie behavior such as JavaScript access, secure transmission, and expiry.

What does the URL Decode toggle do?

When enabled (default), percent-encoded characters in cookie values are decoded — for example %20 becomes a space and %3D becomes =. Disable it to see the raw encoded value.

What happens with invalid tokens?

Tokens without an = sign that are not recognized as known flags (HttpOnly, Secure, etc.) are silently skipped. All valid name=value pairs are still parsed and displayed.

Is any data sent to a server?

No. All parsing is done entirely in your browser using JavaScript. Your cookie data never leaves your machine.

What does Copy JSON produce?

A JSON object where each parsed cookie name becomes a key and its (optionally URL-decoded) value becomes the string value. Flags are excluded from the JSON output.