Does SameSite=None require Secure?
Yes. Modern browsers expect SameSite=None cookies to be marked Secure, otherwise cross-site delivery is often blocked.
Set-Cookie Parser
Parse Set-Cookie headers into name, value, flags, and attributes
API & HTTP
π 100% client-side β your data never leaves this pagePage mode
Set-Cookie Input
Quick CTA
Paste one Set-Cookie header per line and inspect name, expiry, and SameSite / Secure risks first; detailed comparisons stay in Deep.
Output
Parsed result appears here
100% client-side
Page reading mode
Quick keeps the summary, direct answers, and next steps so you can validate fit and get a result faster.
About this tool
Set-Cookie Parser helps you break down complex Set-Cookie headers into a readable structure. Paste one or multiple Set-Cookie lines and inspect cookie name, value, security flags, and attributes like Path, Domain, Expires, Max-Age, and SameSite. This is especially useful when login sessions are unstable, cookies disappear across subdomains, or cross-site requests fail after browser policy updates. The parser highlights malformed lines, so you can quickly identify formatting mistakes before shipping changes. Everything runs in your browser and no cookie data is sent to any server.
Direct Answers
Which wins, Max-Age or Expires?
Max-Age is usually the more explicit lifetime control, while Expires is an absolute timestamp. Many teams set both for compatibility.
Suggested Workflow
CORS Credentials + Wildcard Origin Error: Practical Fix Guide
Fix the classic browser CORS block when credentials are enabled with Access-Control-Allow-Origin=*.
SameSite=None Requires Secure: Cookie Fix Playbook
Resolve cross-site login/session failures caused by cookie attribute mismatch in modern browsers.
Cache-Control no-store + max-age Conflict: How to Fix Caching Chaos
Diagnose and resolve contradictory cache directives that cause random hit/miss behavior.