How to Inspect Cookies

Opening Cookie Lens

1. Open your browser and navigate to any website.
2. Press F12 (Windows/Linux) or Cmd+Option+I (Mac) to open DevTools.
3. Click the Cookie Lens tab at the top of DevTools.
4. You should see all cookies for the current site.

Understanding the Cookie List

Each row in Cookie Lens represents one cookie with key information:

• Name — the cookie identifier (e.g. sessionToken, preferences, __utm_campaign).
• Value — the cookie's current value (truncated if very long).
• Domain — which domain(s) can access this cookie.
• Path — URL path restriction (usually /).
• Expiration — when it expires, or "Session" for temporary cookies.
• Flags — icons showing Secure, HttpOnly, and SameSite status.

Viewing Full Cookie Details

Click any cookie row to expand and see the complete details:

• Full value (without truncation).
• All attributes (domain, path, expiry, flags).
• Size in bytes.
• Creation time (if tracked).
• Last update time (if tracked).

Searching Cookies

Quick Search

Type in the search box at the top to filter cookies:

• Search by name — sessionToken, auth.
• Search by value fragment — part of a session ID or token.
• Search by domain — .example.com.

Results update instantly as you type.

Advanced Filtering

Use the filter dropdowns to show or hide cookies by attributes:

• Secure flag — only HTTPS cookies.
• HttpOnly flag — only JavaScript-inaccessible cookies.
• SameSite — filter by Strict / Lax / None / Unspecified.
• Domain type — first-party vs third-party.

Sorting Cookies

Click any column header to sort:

• Name — alphabetical order.
• Size — largest first (helps find bloated cookies).
• Expiry — soon-to-expire first.
• Domain — by domain name.

Click again to reverse the sort order.

Pinning Important Cookies

Cookies you work with frequently can be pinned to the top:

1. Click the pin icon on any cookie.
2. Pinned cookies appear at the top of the list.
3. Click again to unpin.

This is useful for tracking auth tokens, user preferences, or experiment flags during development.

Protecting Sensitive Cookies

Prevent accidental deletion of important cookies:

1. Click the lock icon on a cookie (or open it and click Protect).
2. Protected cookies will ask for confirmation before deletion.
3. Click again to remove protection.

Understanding Cookie Attributes

Domain

• .example.com — accessible from example.com and all subdomains (www.example.com, api.example.com, etc.).
• example.com — accessible only from the exact domain.
• .localhost — development/localhost cookies.

Path

• / — accessible from the entire site (most common).
• /admin — only accessible under /admin/....
• /api/v2 — only accessible under /api/v2/....

Secure

• Enabled — only sent over HTTPS (secure).
• Disabled — sent over both HTTP and HTTPS (risky on unsecured networks).

HttpOnly

• Enabled — JavaScript cannot access (protected from XSS attacks).
• Disabled — JavaScript can read and modify (vulnerable if site has XSS bugs).

SameSite

• Strict — only sent in same-site requests (most secure).
• Lax — sent on top-level navigation but not cross-site requests (default in modern browsers).
• None — sent in all requests, even cross-site (requires Secure flag, for CDNs/CORS).
• Unspecified — browser default behavior (treat as Lax).

Expiration

• "Session" — expires when the browser window closes.
• Date/time — expires at a specific time.
• Expired — already expired (remove or update).
• Long-term — > 1 year (may need user consent in some jurisdictions).

Tips & Tricks

• Find auth tokens — search for token, auth, session, or jwt.
• Check for duplicates — sort by name and look for repeated names across domains.
• Identify tracking cookies — look for cookies from unfamiliar domains.
• Monitor expiry — use the Expiry report to find soon-to-expire session cookies.
• Compare domains — check if the same cookie name is set across different subdomains.

Common Patterns

Authentication Cookies

• Name examples: sessionId, accessToken, session, __Secure-token.
• Attributes: usually HttpOnly + Secure + SameSite=Lax.
• Lifetime: minutes to hours (short-lived for security).

User Preferences

• Name examples: theme, lang, preferences, settings.
• Attributes: usually not HttpOnly (JavaScript needs to read).
• Lifetime: months or years (user preference).

Tracking/Analytics

• Name examples: __ga, _fbp, __uid, __hsid.
• Attributes: often third-party, long-lived.
• Lifetime: years (persistent tracking).

CSRF Protection

• Name examples: csrf_token, _csrf, X-CSRF-TOKEN.
• Attributes: usually HttpOnly + SameSite=Lax/Strict.
• Lifetime: session.

See Also

• Editing Cookies — how to modify cookies.
• Parsing Values — decoding structured values.
• Reports — analyzing security and privacy.