Dev
Fake Browser Cookie Generator
Testing HTTP cookie parsing and middleware enforcement requires syntactically correct cookie strings with all the right attributes — expiry in RFC 1123 format, Domain, Path, SameSite policy, and optionally Secure and HttpOnly flags. A fake browser cookie generator produces valid Set-Cookie header strings instantly. The `count` input generates between 1 and 20 cookies. Cookie names draw from a pool of realistic identifiers — session_id, auth_token, csrf_token, cart_id, ab_test, locale, and others — each with a four-hex suffix. Values alternate between 32-char hex strings and 24-char Base64 strings. Paths, domains, and SameSite values rotate across realistic options. The `secure` input toggles Secure and HttpOnly flags simultaneously. Output format is one Set-Cookie string per line, compatible with Postman's Cookie manager, curl's -H 'Cookie:' flag, and Playwright's context.addCookies().
How to use
- Choose your options above
- Click Generate
- Copy your result
Detailed instructions
- Set the Number of Cookies field to the quantity your test scenario requires.
- Choose Yes or No in the Secure/HttpOnly toggle to match your target cookie configuration.
- Click Generate to produce a fresh batch of randomized, properly formatted cookie strings.
- Copy individual cookies or the full list into your HTTP client, test fixture, or script.
Use Cases
- •Fuzz-testing a custom HTTP cookie parser with a batch of 50 varied cookie strings
- •Populating Postman pre-request scripts with realistic session and auth cookies
- •Seeding Playwright or Cypress multi-user end-to-end tests with per-user cookie fixtures
- •Testing Express or Django middleware that enforces HttpOnly and Secure flag requirements
- •Building controlled lab environments for CSRF research using cookies without Secure flags
Tips
- →Generate cookies without Secure/HttpOnly flags when testing legacy code paths or local HTTP-only dev servers that reject strict cookies.
- →Combine multiple generated cookie strings into a single Cookie: header line separated by semicolons to simulate realistic multi-cookie browser requests.
- →Use a count of 50 or more to stress-test parser performance and check whether your application silently drops cookies beyond a per-domain limit.
- →Paste generated cookies into browser DevTools under Application > Cookies to manually inject sessions into a running app without writing any code.
- →When writing Playwright tests, load generated cookies via context.addCookies() to pre-authenticate test users without going through the login UI each time.
- →Cross-check generated cookie names against your application's expected cookie names to write negative tests confirming unknown cookies are safely ignored.
FAQ
how do I add fake cookies to a curl request for testing
Copy a generated cookie string and extract the name=value portion. Pass it with curl's -H flag: curl -H 'Cookie: session_id_a1b2=abc123; auth_token_c3d4=xyz456' https://yourapi.com/endpoint. Combine multiple cookies in one Cookie header separated by semicolons. The generated output includes the full Set-Cookie format — strip everything after the first semicolon to get the bare name=value pair that goes in the Cookie request header.
can I use these fake cookies to log in to a real website
No. The values are random strings with no connection to any live server's session store. A real application will reject them or create a new anonymous session. These cookies are strictly for testing parsers, middleware, and mock environments where server-side validation is either absent or under your control.
what is the difference between the secure flag and httponly flag on a cookie
Secure restricts the cookie to HTTPS connections only — browsers refuse to send it over plain HTTP. HttpOnly blocks JavaScript from reading the cookie value via document.cookie, which mitigates XSS-based session hijacking. Both flags apply simultaneously when the Secure/HttpOnly toggle is set to 'yes'. Set it to 'no' to generate cookies without either flag, useful for testing legacy HTTP environments or code paths that handle unsecured cookies.
how do I use generated cookies in playwright tests
Generate your cookies, extract the name, value, domain, and path from each line, and pass them to context.addCookies() as an array of cookie objects before navigating. This pre-authenticates the test browser context without going through the login UI on each test run. Playwright's addCookies format expects domain without the leading dot, so strip it from the generated Domain attribute value.
You might also like
Popular tools from other categories that share themes with this one.
Try these next
More free tools from other corners of the catalog, picked by shared themes.