Skip to main content
Back to Dev generators

Dev

Mock Cookie Header Generator

Cookie parsing bugs and missing security attributes are easy to miss until a penetration test or a browser warning surfaces them. Testing your cookie-handling code against realistic Set-Cookie headers — with the full range of security attributes — catches those gaps early. This tool generates between 1 and 8 Set-Cookie header strings, each with a random token value and a random selection of attributes: Path=/, HttpOnly, Secure, a SameSite value (Lax, Strict, or None), and a Max-Age. The cookie names are drawn from a realistic pool: session_id, auth_token, csrf, theme, cart, and locale. The value is a 20-character random alphanumeric string. The generator avoids duplicating the same cookie name within a batch. Copy the headers into a test to verify your parser handles all attributes correctly, or use them in documentation to illustrate how a session setup should look. When setting real cookies, choose HttpOnly and Secure for any session or auth cookie, and pick a SameSite value deliberately — Lax is a safe default, Strict is tighter, and None requires Secure.

Read the complete guide — 4 min read

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Choose how many headers you want.
  2. Click Generate to produce Set-Cookie headers.
  3. Copy them into your test or docs.
  4. Set security attributes deliberately for real cookies.

Use Cases

  • Testing cookie parsing
  • Documenting a session setup
  • Learning cookie attributes
  • Seeding example headers
  • Demoing cookie security flags

Tips

  • HttpOnly hides cookies from JavaScript.
  • Secure restricts cookies to HTTPS.
  • SameSite controls cross-site sending.
  • Make session cookies HttpOnly and Secure.

FAQ

what attributes appear in the generated set-cookie headers

Each header includes Path=/, HttpOnly, Secure, a SameSite value (Lax, Strict, or None, chosen at random), and a Max-Age of 3600, 86400, or 604800 seconds. The cookie name is drawn from session_id, auth_token, csrf, theme, cart, and locale.

what do httponly and secure actually do in a browser

HttpOnly prevents JavaScript from reading the cookie via document.cookie, which blocks cookie theft through XSS. Secure restricts the cookie to HTTPS connections only, preventing it from being sent over plain HTTP. Both attributes should be set on any session or authentication cookie.

what is the difference between samesite=lax, strict, and none

SameSite=Lax (the browser default) allows the cookie on top-level navigations but blocks it on cross-site sub-requests. Strict blocks the cookie on all cross-site requests, including navigations. None allows the cookie everywhere but requires the Secure attribute, which means it only works over HTTPS.

are these cookies real and will they authenticate anything

No. The values are random 20-character strings that are not tied to any session or user. They are safe to use freely in tests and documentation. They follow the real Set-Cookie format so your code exercises the full attribute-parsing path, but they grant no access anywhere.

You might also like

Popular tools from other categories that share themes with this one.

Try these next

More free tools from other corners of the catalog, picked by shared themes.