Cookies
The Cookies tab displays all cookies set by the server via Set-Cookie headers. Each cookie is shown in a card format with its name, value, and all attributes. This makes it easy to understand cookie behavior and debug authentication issues.
Cookie Display
Each cookie is displayed in a card with its name, value, security badges, and attributes:
Example Cookie
Cookie Attributes
Cookie attributes control when and how the browser sends cookies back to the server:
| Attribute | Description | Default |
|---|---|---|
| Name | Cookie identifier used in requests | (required) |
| Value | Cookie content sent with requests | (required) |
| Domain | Domains that receive the cookie | Current host only |
| Path | URL paths that receive the cookie | / |
| Expires | Date/time when cookie expires | Session (browser close) |
| Max-Age | Cookie lifetime in seconds | Session (browser close) |
Security Flags
Security flags protect cookies from common attacks. These are displayed as colored badges for quick identification:
Cookie is only sent over encrypted HTTPS connections. This prevents the cookie from being intercepted on insecure networks. Always use for sensitive data like session tokens.
Cookie cannot be accessed by JavaScript via document.cookie. This protects against XSS (Cross-Site Scripting) attacks that try to steal session cookies.
Controls when cookies are sent with cross-site requests. Helps prevent CSRF attacks:
| Value | Behavior |
|---|---|
| Strict | Cookie only sent from the same site. Most secure, but may break some legitimate cross-site flows. |
| Lax | Cookie sent with top-level navigation (clicking links) but not with cross-site POSTs. Good balance of security and usability. |
| None | Cookie sent with all requests. Requires Secure flag. Use only when cross-site cookies are needed. |
Expiration Display
Cookie expiration is displayed in a human-readable format:
| Cookie Type | Display | Meaning |
|---|---|---|
| Session Cookie | Session | Deleted when browser closes |
| Short-lived | 45m | Max-Age less than 1 hour |
| Hours | 2h 30m | Max-Age less than 24 hours |
| Days | 7 days | Max-Age more than 24 hours |
| Fixed Date | Jan 15, 2025, 10:30 AM | Expires header with specific date |
Max-Age and Expires are present, Max-Age takes precedence (per RFC 6265).Empty State
When the response doesn't set any cookies, a placeholder message is shown:
No cookies in response
This simply means the server didn't include any Set-Cookie headers in the response. Not all API responses set cookies.
Cookie Debugging Tips
Common issues when working with cookies:
Cookie not being sent
- Check Domain — cookie domain must match or be a parent of the request domain
- Check Path — request path must match or be under the cookie path
- Check Secure — if set, cookie only sent over HTTPS
- Check SameSite — may block cross-site requests
Cookie expiring immediately
- Check Max-Age — value of 0 or negative deletes the cookie
- Check Expires — date in the past deletes the cookie
- Check system clock — time differences can cause early expiration
Cannot access cookie in JavaScript
- Check HttpOnly — if set, cookie is not accessible via document.cookie
- This is intentional security behavior, not a bug