Реклама мешает? Идти Без рекламы Сегодня 

Конструктор и Генератор HTTP-куки

Разработчик

РЕКЛАМА · УДАЛЯТЬ?

ВХОД

Автоматический процесс

ВЫХОД

Клиентская сторона

Set-Cookie Header

document.cookie (JavaScript)

Фрагменты кода сервера

РЕКЛАМА · УДАЛЯТЬ?

Гид

Конструктор и Генератор HTTP-куки

Build correct HTTP Set-Cookie headers with a visual configurator. Set name, value, domain, path, expiration, SameSite, Secure, HttpOnly, and other attributes, then get the generated Set-Cookie header, document.cookie string, and server framework code snippets. Includes a cookie parser to reverse-engineer existing Set-Cookie strings and preset configurations for common cookie types.

Как использовать

Enter the cookie name and value, then configure optional attributes: Domain, Path, Max-Age, Expires, SameSite (None/Lax/Strict), Secure, HttpOnly, and Partitioned. The Set-Cookie header and document.cookie string update instantly. Use preset buttons for common patterns (session cookie, persistent cookie, CSRF token, etc.). Copy the generated header or server code snippets for Express.js, PHP, Flask, or Go. To parse an existing cookie, paste a Set-Cookie string and click Parse to populate all fields.

Функции

Visual Cookie Builder — Configure all Set-Cookie attributes through form controls: Name, Value, Domain, Path, Max-Age, Expires, SameSite, Secure, HttpOnly, Partitioned (CHIPS).
Set-Cookie Header Output — Correctly formatted Set-Cookie header string following RFC 6265. Updates in real time as you configure.
document.cookie Output — Client-side JavaScript equivalent for setting cookies. Shows warning when HttpOnly is enabled (can’t be set via JS).
4 Server Framework Snippets — Copy-ready code for Express.js (res.cookie), PHP (setcookie), Flask (response.set_cookie), and Go (http.SetCookie). Each dynamically generated from your configuration.
Cookie Parser — Paste an existing Set-Cookie header string and parse it back into individual fields. Great for debugging or modifying existing cookies.
5 Preset Configurations — One-click presets: Session Cookie, Persistent Cookie (30 days), Secure API Token, CSRF Token, Third-Party Cookie (CHIPS). Each fills the form with best-practice settings.
Валидация в реальном времени — Color-coded warnings: SameSite=None requires Secure, HttpOnly can’t be set via document.cookie, invalid name characters, Max-Age vs Expires conflict.
Cookie Reference — Collapsible reference explaining each attribute, size limits (4KB per cookie), and SameSite behavior with practical examples.

Cookie Attributes

SameSite: Controls cross-site cookie behavior. Lax (default) sends cookies on top-level navigations. Strict blocks all cross-site cookie sending. None allows cross-site but requires Secure flag.
Secure: Cookie only sent over HTTPS connections. Required when SameSite=None.
HttpOnly: Cookie cannot be accessed via JavaScript (document.cookie). Protects against XSS attacks.
Max-Age: Cookie lifetime in seconds from when it’s set. Takes precedence over Expires.
Expires: Absolute date/time when the cookie expires. Use Max-Age for relative expiration.
Partitioned (CHIPS): Newer attribute for partitioned third-party cookies. Each top-level site gets its own cookie jar.

РЕКЛАМА · УДАЛЯТЬ?

What is a Set-Cookie header?

Set-Cookie is an HTTP response header that tells the browser to store a cookie. The server sends it in the format: Set-Cookie: name=value; Path=/; SameSite=Lax; Secure; HttpOnly. The browser then includes this cookie in subsequent requests to the same domain via the Cookie request header. Each Set-Cookie header sets one cookie — to set multiple cookies, send multiple Set-Cookie headers. The attributes (Path, SameSite, Secure, etc.) control when and how the browser sends the cookie back.

What is the difference between SameSite Lax, Strict, and None?

SameSite controls whether cookies are sent with cross-site requests. Strict: cookie is never sent cross-site — only when the user is directly on your site. Most secure but breaks some flows (e.g., clicking a link from email won’t include the cookie). Lax (default since Chrome 80): cookie is sent with top-level navigations (clicking links) but not with cross-site subrequests (images, iframes, AJAX). Good balance of security and usability. None: cookie is always sent cross-site — required for third-party cookies, embedded content, and cross-origin APIs. Must be paired with Secure flag.

Should I use Max-Age or Expires?

Use Max-Age for most cases — it sets the cookie lifetime in seconds relative to when it’s received, which is simpler and avoids timezone issues. Expires sets an absolute date/time. If both are present, Max-Age takes precedence (per RFC 6265). If neither is set, the cookie becomes a session cookie — it’s deleted when the browser closes. Common Max-Age values: 3600 (1 hour), 86400 (1 day), 2592000 (30 days), 31536000 (1 year). Expires is useful when you need the cookie to expire at a specific date/time.

Why can’t HttpOnly cookies be set with document.cookie?

HttpOnly is a security attribute that prevents JavaScript from reading or modifying the cookie via document.cookie. This protects against Cross-Site Scripting (XSS) attacks — even if an attacker injects JavaScript into your page, they can’t steal HttpOnly cookies (like session tokens). Because of this restriction, HttpOnly cookies can only be set by the server via the Set-Cookie header, not by client-side JavaScript. Always use HttpOnly for authentication tokens and session IDs.

Хотите убрать рекламу? Откажитесь от рекламы сегодня

