Understanding what cookies a website sets on your browser is essential for security auditing, debugging web applications, and ensuring privacy compliance. This guide shows you exactly how to extract cookies from every major browser, what each attribute means, and how to analyze them for security issues.
Quick Reference: Browser Shortcuts
| Browser | Open DevTools | Cookies Location |
|---|---|---|
| Chrome | Ctrl+Shift+I / Cmd+Option+I | Application > Storage > Cookies |
| Firefox | F12 | Storage > Cookies |
| Edge | F12 | Application > Storage > Cookies |
| Safari | Cmd+Option+I | Storage > Cookies |
Viewing Cookies in Google Chrome
Chrome's DevTools provide the most comprehensive cookie inspection capabilities of any browser.
Step-by-Step Instructions
- Navigate to the website you want to inspect
- Right-click anywhere and select Inspect, or press
Ctrl+Shift+I(Windows/Linux) orCmd+Option+I(Mac) - Click the Application tab in the DevTools panel
- In the left sidebar, expand Storage > Cookies
- Click on your domain to view all cookies
What You'll See
Chrome displays a table with these columns:
- Name: The cookie identifier
- Value: The actual data stored
- Domain: Which domain can access this cookie
- Path: URL path scope for the cookie
- Expires / Max-Age: When the cookie expires
- Size: Cookie size in bytes
- HttpOnly: Whether JavaScript can access it
- Secure: Whether it requires HTTPS
- SameSite: Cross-site request behavior
- Partition Key: For partitioned cookies (privacy feature)
- Priority: Chrome-specific priority hint
Pro Tips for Chrome
Filter cookies by name or value: Use the filter box above the cookie table to search.
View Set-Cookie headers:
Go to the Network tab, click any request, and check Response Headers for Set-Cookie entries. This shows the full cookie string including all attributes.
Export all cookies: Right-click in the cookies table and select "Clear all" to remove them, but there's no built-in export. Use our Cookie Analyzer tool instead.
Viewing Cookies in Mozilla Firefox
Firefox's Storage Inspector is straightforward and includes helpful grouping features.
Step-by-Step Instructions
- Navigate to your target website
- Press
F12or right-click and select Inspect - Click the Storage tab (you may need to click
>>to find it) - Expand Cookies in the left sidebar
- Click your domain to view its cookies
Firefox-Specific Features
Firefox groups cookies by:
- First-party (same domain)
- Third-party (external domains)
You can see at a glance which cookies are from the site itself vs. external trackers.
Important Note About Firefox
Firefox's Enhanced Tracking Protection blocks many third-party cookies by default. If you're auditing a site and see fewer cookies than expected, try:
- Click the shield icon in the address bar
- Toggle off Enhanced Tracking Protection for that site
- Refresh the page
This reveals what cookies would be set without protection.
Viewing Cookies in Microsoft Edge
Edge uses the same Chromium DevTools as Chrome, so the process is nearly identical.
Step-by-Step Instructions
- Navigate to your website
- Press
F12orCtrl+Shift+I - Click the Application tab
- Under Storage, expand Cookies
- Select your domain
Edge-Specific Features
Edge adds a few features on top of Chrome's:
- Cookie Issues Panel: Shows warnings about cookies that may be blocked
- Third-Party Cookie Warnings: Highlights cookies affected by tracking prevention
- Size Analysis: Visual indicator of cookie sizes
Viewing Cookies in Safari
Safari requires an extra step to enable developer tools.
Enable Developer Tools First
- Open Safari
- Go to Safari menu > Settings (or Preferences)
- Click the Advanced tab
- Check Show Develop menu in menu bar
Step-by-Step Instructions
- Navigate to your website
- Press
Cmd+Option+Ior go to Develop > Show Web Inspector - Click the Storage tab
- Select Cookies in the sidebar
- View cookies for the current page
Safari-Specific Notes
Safari's Intelligent Tracking Prevention (ITP) aggressively limits cookie lifetimes and blocks third-party cookies. You may see:
- Shorter expiration times than set by the server
- Missing third-party cookies entirely
- Partitioned storage for some cookies
Getting the Full Cookie String for Analysis
To analyze cookies with our Cookie Analyzer tool, you need the complete cookie string including all security attributes.
Method 1: From Network Response Headers
This is the best method to see exactly what the server sends:
- Open DevTools and go to Network tab
- Refresh the page
- Click on the initial document request (first item, usually)
- Look at Response Headers
- Find any
Set-Cookieheaders - Copy the full value
Example output:
Set-Cookie: sessionid=abc123; Secure; HttpOnly; Path=/; SameSite=Lax; Max-Age=3600
Method 2: From JavaScript Console
This only works for cookies WITHOUT the HttpOnly flag:
document.cookie
Output format:
name1=value1; name2=value2; name3=value3
Note: This doesn't show cookie attributes like Secure or HttpOnly.
Method 3: Application Tab Export
- Go to Application > Cookies
- Select your domain
- View all cookies in the table
- Manually construct the cookie string from the attributes shown
Understanding Cookie Attributes
When analyzing cookies, check these security-critical attributes:
Secure Flag
Set-Cookie: session=xyz; Secure
- Present: Cookie only sent over HTTPS (good)
- Missing: Cookie sent over HTTP too (vulnerable to interception)
HttpOnly Flag
Set-Cookie: session=xyz; HttpOnly
- Present: JavaScript cannot access this cookie (good for session cookies)
- Missing:
document.cookiecan read it (XSS risk for sensitive cookies)
SameSite Attribute
Set-Cookie: session=xyz; SameSite=Strict
| Value | Behavior | Security |
|---|---|---|
Strict | Never sent cross-site | Best CSRF protection |
Lax | Sent with top-level navigation | Good balance |
None | Always sent (requires Secure) | Least protection |
Domain Attribute
Set-Cookie: session=xyz; Domain=.example.com
- Not set: Cookie only for exact domain (most restrictive)
- Set to parent: Shared across subdomains (broader access)
Path Attribute
Set-Cookie: session=xyz; Path=/admin
Limits cookie to specific URL paths. More specific = better security.
Expires / Max-Age
Set-Cookie: session=xyz; Max-Age=3600
Set-Cookie: session=xyz; Expires=Thu, 12 Dec 2025 12:00:00 GMT
- Not set: Session cookie (deleted when browser closes)
- Short duration: Better security
- Long duration: Convenient but higher risk if stolen
Common Security Issues to Check
When analyzing cookies, look for these problems:
Critical Issues
-
Session cookies without HttpOnly
- Risk: XSS attacks can steal session tokens
- Fix: Add
HttpOnlyflag
-
Authentication cookies without Secure
- Risk: Credentials exposed on unsecured networks
- Fix: Add
Secureflag, enforce HTTPS
-
Sensitive data in cookie values
- Risk: Exposure of PII, passwords, or tokens
- Fix: Store only session IDs, keep data server-side
High Priority Issues
-
Missing SameSite on session cookies
- Risk: CSRF attacks
- Fix: Add
SameSite=LaxorSameSite=Strict
-
SameSite=None without Secure
- Risk: Browser rejects the cookie, breaks functionality
- Fix: Always pair
SameSite=NonewithSecure
Medium Priority Issues
-
Overly broad domain scope
- Risk: Subdomains can access sensitive cookies
- Fix: Use specific domain or omit Domain attribute
-
Excessive expiration times
- Risk: Stolen cookies remain valid longer
- Fix: Use shorter lifetimes for sensitive cookies
Analyzing Cookies Automatically
Manually checking each cookie attribute is tedious. Use our Cookie Analyzer tool to:
- Parse cookie strings automatically
- Identify security issues with severity ratings
- Get specific recommendations for each problem
- Export results as JSON or CSV
- Calculate security scores for quick assessment
Simply paste your cookie strings (from Set-Cookie headers or the Application tab) and get instant analysis.
Exporting Cookies for Documentation
For security audits or compliance documentation, you may need to export all cookies.
Using Browser Extensions
Several browser extensions can export cookies:
- EditThisCookie (Chrome): Export as JSON
- Cookie-Editor (Firefox/Chrome): Export to various formats
- Cookie Quick Manager (Firefox): Full cookie management
Manual Export
- Open DevTools > Application > Cookies
- Copy data from the table
- Paste into a spreadsheet or document
Using JavaScript (Non-HttpOnly Only)
// Get all accessible cookies
const cookies = document.cookie.split('; ').map(c => {
const [name, ...value] = c.split('=');
return { name, value: value.join('=') };
});
console.table(cookies);
Privacy and Compliance Considerations
When auditing cookies, consider regulatory requirements:
GDPR (EU)
- Classify cookies by purpose (necessary, analytics, marketing)
- Document all cookies in your privacy policy
- Obtain consent before setting non-essential cookies
CCPA (California)
- Disclose cookie usage in privacy policy
- Provide opt-out mechanism for sale of data
- Honor "Do Not Sell" requests
Cookie Consent Requirements
Check that your site:
- Shows a cookie banner before setting tracking cookies
- Allows granular consent choices
- Respects user preferences
- Documents cookie purposes clearly
Next Steps
After extracting cookies from your browser:
- Analyze them using our Cookie Analyzer tool
- Fix issues following our remediation guide
- Learn about prefixes in Cookie Prefixes Explained
- Get a professional audit from our security team
Understanding your website's cookie configuration is the first step toward better web security and privacy compliance.