Cookie / LocalStorage Inspector & Generator β learn session/auth mechanics without the googling.
π§ Offlinesingle-file
Cookie Builder (Set-Cookie)
Generate a Set-Cookie header line (server-side style) and optionally apply it via document.cookie (client-side limitations apply).
Tip: Use the Base64 tab for opaque tokens.
If both are set, many browsers honor Max-Age over Expires.
If SameSite=None, you typically need Secure.
Secure
Only over HTTPS
HttpOnly*
Not readable by JS
Partitioned
CHIPS-style partition
Priority
Low/Medium/High
Heads up:HttpOnly cannot be set from JavaScript. The builder will include it for education, but document.cookie will ignore it. Use server responses to set HttpOnly cookies.
Cookie Parser
Paste either a Set-Cookie line or a raw Cookie header (name=value; name2=value2).
localStorage Editor
Create or inspect localStorage entries. Includes JSON validation + pretty printing.
Security note: localStorage is accessible to JavaScript. If your site is vulnerable to XSS, attackers can read it. Prefer HttpOnly cookies for sensitive session tokens.
Storage Inspector
List keys, preview sizes, export/import as JSON.
Base64 Encode / Decode
Helpful for cookie/storage values. Supports UTF-8 safely.
Reminder: Base64 is not encryption. Itβs encoding (obfuscation at best).
Quick Helpers
Small utilities for day-to-day debugging.
Cookie Cheatsheet
What each attribute does (and what to use by default).
Set-Cookie syntax (server response header)
-----------------------------------------
Set-Cookie: name=value; Path=/; Domain=example.com; Max-Age=3600; Expires=Tue, 03 Feb 2026 10:00:00 GMT; Secure; HttpOnly; SameSite=Lax
Common attributes
----------------
Path=/
β’ Cookie is sent only to requests under that path.
Domain=example.com
β’ Controls which subdomains receive the cookie. (No Domain = host-only cookie.)
Max-Age=seconds
β’ Relative lifetime from now. Often preferred over Expires.
Expires=HTTP-date (GMT/UTC)
β’ Absolute expiry time. Legacy, but still used.
Secure
β’ Only sent over HTTPS. Required for SameSite=None in modern browsers.
HttpOnly
β’ Prevents JS access (mitigates token theft via XSS). Must be set by the server.
SameSite=Strict | Lax | None
Strict: not sent on cross-site navigations
Lax: sent on top-level navigations (default-ish behavior)
None: sent cross-site (requires Secure)
Recommended defaults (typical web auth)
--------------------------------------
β’ Session cookie: HttpOnly; Secure; SameSite=Lax; Path=/
β’ Cross-site needed (e.g. embedded): SameSite=None; Secure; HttpOnly
localStorage quick notes
------------------------
β’ Great for non-sensitive preferences.
β’ Bad for secrets (XSS can read it). Prefer HttpOnly cookies for session tokens.