Example
Input (Set-Cookie header)
session=abc123; Domain=yutils.dev; Path=/; Expires=Wed, 13 May 2026 12:00:00 GMT; Secure; HttpOnly; SameSite=Lax
Output
name: session value: abc123 domain: yutils.dev path: / expires: Wed, 13 May 2026 12:00:00 GMT secure: true httpOnly: true sameSite: Lax
Note
Recognizes both request `Cookie:` and response `Set-Cookie:` headers. URL-encoded values are auto-decoded.
Usage / FAQ
When to use
- Security audit — confirm `Secure`, `HttpOnly`, `SameSite` attributes
- Debug session cookies — is the value URL-encoded JSON?
- Compare cookie policies across multiple sites
- Split individual cookies from a request `Cookie:` header
- Check expiration time and path scope
FAQ
- Q.What do the SameSite values mean?
- A.`Strict` = same-site only (no cookie on cross-site links). `Lax` = also allowed on top-level navigation (modern Chrome default). `None` allows all but requires `Secure`.
- Q.HttpOnly vs Secure?
- A.`HttpOnly` blocks JavaScript's `document.cookie` access — protects against XSS. `Secure` requires HTTPS — protects against eavesdropping. Both are near-mandatory.
- Q.Why is the value often URL-encoded JSON?
- A.RFC 6265 disallows certain characters in cookie values (spaces, semicolons, commas, …). Complex values like JSON are typically URL-encoded before storage.
Fun facts
HTTP cookies were invented in 1994 by Lou Montulli at Netscape. The original purpose was 'online shopping carts' — keeping per-user baskets without the server holding state. That simple idea became the foundation for sessions, authentication, ad tracking, and analytics.
Wikipedia — HTTP cookieThe cookie spec has been revised multiple times — Netscape's informal 1994 spec → RFC 2109 (1997) → RFC 2965 (2000) → today's RFC 6265 (2011). RFC 6265 is the most practical of them: it dropped the complex features of the earlier RFCs and aligned with what browsers actually implement.
RFC 6265 (2011)The SameSite attribute (introduced in 2016) is core to CSRF defense — `Strict` / `Lax` / `None`. Chrome 80 (2020) changed the default from None to Lax, forcing explicit SameSite declarations, and a global wave of 'cookies suddenly stop working' compatibility incidents followed.
web.dev — SameSite cookies
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.