Dev
Mock Cookie Header Generator
Cookie parsing bugs and missing security attributes are easy to miss until a penetration test or a browser warning surfaces them. Testing your cookie-handling code against realistic Set-Cookie headers — with the full range of security attributes — catches those gaps early. This tool generates between 1 and 8 Set-Cookie header strings, each with a random token value and a random selection of attributes: Path=/, HttpOnly, Secure, a SameSite value (Lax, Strict, or None), and a Max-Age. The cookie names are drawn from a realistic pool: session_id, auth_token, csrf, theme, cart, and locale. The value is a 20-character random alphanumeric string. The generator avoids duplicating the same cookie name within a batch. Copy the headers into a test to verify your parser handles all attributes correctly, or use them in documentation to illustrate how a session setup should look. When setting real cookies, choose HttpOnly and Secure for any session or auth cookie, and pick a SameSite value deliberately — Lax is a safe default, Strict is tighter, and None requires Secure.
How to use
- Choose your options above
- Click Generate
- Copy your result
Detailed instructions
- Choose how many headers you want.
- Click Generate to produce Set-Cookie headers.
- Copy them into your test or docs.
- Set security attributes deliberately for real cookies.
Use Cases
- •Testing cookie parsing
- •Documenting a session setup
- •Learning cookie attributes
- •Seeding example headers
- •Demoing cookie security flags
Tips
- →HttpOnly hides cookies from JavaScript.
- →Secure restricts cookies to HTTPS.
- →SameSite controls cross-site sending.
- →Make session cookies HttpOnly and Secure.
FAQ
what attributes appear in the generated set-cookie headers
Each header includes Path=/, HttpOnly, Secure, a SameSite value (Lax, Strict, or None, chosen at random), and a Max-Age of 3600, 86400, or 604800 seconds. The cookie name is drawn from session_id, auth_token, csrf, theme, cart, and locale.
what do httponly and secure actually do in a browser
HttpOnly prevents JavaScript from reading the cookie via document.cookie, which blocks cookie theft through XSS. Secure restricts the cookie to HTTPS connections only, preventing it from being sent over plain HTTP. Both attributes should be set on any session or authentication cookie.
what is the difference between samesite=lax, strict, and none
SameSite=Lax (the browser default) allows the cookie on top-level navigations but blocks it on cross-site sub-requests. Strict blocks the cookie on all cross-site requests, including navigations. None allows the cookie everywhere but requires the Secure attribute, which means it only works over HTTPS.
are these cookies real and will they authenticate anything
No. The values are random 20-character strings that are not tied to any session or user. They are safe to use freely in tests and documentation. They follow the real Set-Cookie format so your code exercises the full attribute-parsing path, but they grant no access anywhere.
You might also like
Popular tools from other categories that share themes with this one.
Try these next
More free tools from other corners of the catalog, picked by shared themes.