Enter a Set-Cookie header or cookie string to analyze
GDPR/CCPA Compliance Concerns?
Tracking cookies without consent can lead to fines. We audit and remediate cookie compliance issues.
What Is Cookie Analysis
Cookie analysis examines HTTP cookies set by websites to understand data collection practices, security configurations, and privacy compliance. Cookies are small text files stored in browsers that track sessions, preferences, authentication state, and user behavior. Analyzing them reveals what data a website collects, how long it persists, and whether proper security flags are set.
With privacy regulations like GDPR, CCPA, and ePrivacy Directive requiring informed consent for non-essential cookies, understanding cookie behavior is a compliance necessity. Security teams also analyze cookies to ensure session tokens are protected against theft through XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery) attacks. A cookie analyzer provides a systematic view of all cookies, their attributes, and potential issues.
How HTTP Cookies Work
Cookies are set by servers using the Set-Cookie HTTP response header and sent back by browsers with every subsequent request. Key attributes control cookie behavior and security:
| Attribute | Purpose | Security Impact |
|---|---|---|
| Name=Value | The cookie data | Contains session IDs, preferences, tracking IDs |
| Domain | Which domains receive the cookie | Overly broad domains expose cookies to subdomains |
| Path | URL path scope | / sends cookie with all requests |
| Expires/Max-Age | When the cookie is deleted | Session vs. persistent cookie |
| Secure | Only sent over HTTPS | Prevents interception on HTTP connections |
| HttpOnly | Not accessible via JavaScript | Prevents XSS-based cookie theft |
| SameSite | Cross-site request policy | Strict, Lax, or None; mitigates CSRF |
| Partitioned | CHIPS (third-party partitioning) | Limits cross-site tracking |
Cookie categories for privacy compliance:
- Strictly necessary: Authentication, shopping cart, security (no consent required)
- Functional: Language preference, user settings (consent recommended)
- Analytics: Usage tracking, A/B testing (consent required)
- Marketing: Cross-site tracking, retargeting (consent required)
Common Use Cases
- Privacy compliance auditing: Identify all cookies and classify them by purpose for GDPR/CCPA consent management
- Security assessment: Verify that session cookies have Secure, HttpOnly, and SameSite flags set correctly
- Third-party tracking discovery: Find cookies set by advertising, analytics, and social media scripts
- Incident investigation: Analyze suspicious cookies that may indicate session hijacking or unauthorized tracking
- Vendor due diligence: Evaluate what cookies third-party scripts inject into your users' browsers
Best Practices
- Set Secure, HttpOnly, and SameSite on all sensitive cookies — Session tokens must have all three flags to prevent theft and CSRF
- Use SameSite=Strict or Lax — The None value requires the Secure flag and allows cross-site requests, which is rarely needed
- Minimize cookie lifetime — Session cookies (no Expires) are deleted when the browser closes; persistent cookies should have the shortest practical lifetime
- Audit third-party cookies regularly — Third-party scripts frequently add new cookies without notification; scan monthly
- Implement a cookie consent mechanism — GDPR requires opt-in consent for non-essential cookies; block analytics and marketing cookies until consent is given
References & Citations
- Internet Engineering Task Force (IETF). (2011). HTTP State Management Mechanism - RFC 6265. Retrieved from https://datatracker.ietf.org/doc/html/rfc6265 (accessed January 2025)
- Mozilla Developer Network. (2024). Using HTTP cookies. Retrieved from https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies (accessed January 2025)
- web.dev. (2023). SameSite cookies explained. Retrieved from https://web.dev/samesite-cookies-explained/ (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Key Security Terms
Understand the essential concepts behind this tool
Frequently Asked Questions
Common questions about the Cookie Analyzer
What are HTTP cookies?
HTTP cookies are small data pieces stored by browsers, sent with every request to same domain.
Used for: session management (login state), personalization (preferences), tracking (analytics, ads).
Set via Set-Cookie header or JavaScript document.cookie.
Contains: name, value, expiration, domain, path, security flags.
Types: session cookies (temporary), persistent cookies (long-lived), first-party (same domain), third-party (different domain).
GDPR requires consent for non-essential cookies.
What is the HttpOnly flag?
HttpOnly flag prevents JavaScript access to cookies via document.cookie.
Mitigates XSS attacks - stolen session cookies via script injection.
Example: Set-Cookie: sessionid=abc123; HttpOnly.
Cookie still sent in HTTP requests but hidden from client-side scripts.
Essential for authentication cookies.
Not bulletproof - XSS can still make authenticated requests (CSRF).
Use with: Secure flag, SameSite, CSP.
Check: browser DevTools Application tab shows HttpOnly column.
What is the Secure flag?
Secure flag ensures cookies only transmitted over HTTPS, never unencrypted HTTP.
Prevents eavesdropping on unsecured networks.
Example: Set-Cookie: token=xyz789; Secure.
Required for sensitive data (sessions, auth tokens, personal info).
Modern browsers require Secure for SameSite=None cookies.
Local development: use localhost (exempt) or HTTPS proxy.
All production cookies should use Secure flag.
HTTP sites cannot set Secure cookies.
What is SameSite attribute?
SameSite prevents CSRF attacks by controlling when cookies sent in cross-site requests.
Three values:
- Strict (never sent cross-site, safest)
- Lax (sent on top-level navigation GET, default)
- None (always sent, requires Secure flag).
Example: Set-Cookie: id=123; SameSite=Strict.
Use Strict for sensitive actions (banking), Lax for general sites, None for third-party integrations (OAuth, payment).
Modern browsers default to Lax if omitted.
How to set cookie expiration?
Two attributes: Expires (specific date) or Max-Age (seconds from now).
Example: Expires=Wed, 21 Oct 2025 07:28:00 GMT or Max-Age=3600 (1 hour).
Session cookies: omit both attributes, deleted when browser closes.
Persistent cookies: set expiration.
Security: short-lived tokens (minutes-hours), long-lived remember-me (days-weeks).
Auto-renewal: refresh token before expiry.
Privacy: GDPR limits persistent cookie duration.
Use Max-Age (easier calculation).
First-party cookies:
set by visited domain (example.com on example.com).
Used for: sessions, preferences, analytics.
Third-party cookies:
set by different domain (ads.tracker.com on example.com).
Used for: cross-site tracking, retargeting, analytics.
Browser trends:
Safari/Firefox block third-party by default, Chrome phasing out 2024-2025.
Alternatives:
first-party data collection, server-side tracking, Privacy Sandbox.
GDPR:
requires explicit consent for non-essential cookies (both types).
Best practices:
HttpOnly flag (prevent XSS theft).
Secure flag (HTTPS only).
SameSite=Strict or Lax (prevent CSRF).
Short expiration (15-60 min).
Prefix: __Host- or __Secure- (enforces Secure + domain restrictions).
Cryptographic signing (HMAC-SHA256).
Regenerate session ID after login.
Clear cookies on logout.
Example:
Set-Cookie: __Host-sessionid=abc; Secure; HttpOnly; SameSite=Strict; Max-Age=3600.
What are cookie prefixes?
Cookie prefixes enforce security requirements:
__Secure- prefix requires Secure flag and HTTPS.
__Host- prefix requires: Secure flag, no Domain attribute (exact domain only), Path=/.
Example: __Host-token=xyz forces most restrictive settings.
Prevents: subdomain/related-domain cookie injection, downgrade attacks.
Browser enforces requirements - invalid combinations rejected.
Use __Host- for maximum security (auth tokens), __Secure- for general secure cookies.
Not widely adopted yet but recommended.
First-party cookies are set by the website you visit and are used for essential functions like login sessions. Third-party cookies are set by external domains (like ad networks) and track users across websites. Browsers are increasingly blocking third-party cookies for privacy.