Skip to main content
Version: 1.0.1

Frequently Asked Questions

General

Cookie Lens is a Chrome extension for inspecting, decoding, editing, freezing, and auditing browser cookies. It ships as a toolbar popup for a quick look and a DevTools panel for deeper work.

Is it free? Do I need an account?

Yes, it's completely free, and there's no account, login, or sign-up.

Which browsers are supported?

Chrome and Chromium-based browsers (Edge, Brave, Opera, and similar).

See the Chrome Web Store listing for the current source and licensing details.

Installation & permissions

  1. Open the Chrome Web Store listing.
  2. Click Add to Chrome and confirm.
  3. Open the popup from the toolbar, or press F12 / Cmd+Option+I and open the Cookie Lens panel in DevTools.

Which permissions does it request, and why?

Granted on install:

PermissionWhy
cookiesThe product — read, write, delete cookies and receive the change feed.
storageSave preferences and Freeze / Profile / Report snapshots locally.
tabsThe DevTools panel resolves the inspected tab's URL to scope its list.
activeTabThe popup scopes cookies to the tab you invoked it on.
webRequestObserve Set-Cookie response headers to attribute a cookie to the request that set it ("Set by Request").

Host access (to read/write cookies on a site) is not granted by default. Cookie Lens requests it per site, at runtime, from a user gesture, so its default footprint stays minimal.

Does it work on localhost and production?

Yes to both. On production domains, Cookie Lens warns before destructive edits.

Does it work in incognito?

Yes — it operates on the separate incognito cookie jar. You must enable Allow in Incognito for the extension in chrome://extensions. Freeze/Profile snapshots tied to a closed incognito session are purged automatically.

Click a cookie row to open the inline editor, change the value or any attribute (domain, path, expiration, SameSite, Secure, HttpOnly), and save.

What's the difference between editing and freezing?

  • Editing changes a cookie once — until something changes it again.
  • Freezing pins the value. A background enforcer reverts any page/server change or deletion back to the frozen value, until you unfreeze it from the Frozen view.

What are Profiles?

Named cookie sets. Save the current cookies under a name, then switch between scenarios (logged-in, guest, admin) in one click. Profiles export/import as a file; imports are scoped to the current site.

What do the Activity and Diff views do?

  • Activity is a live feed of set / update / delete / expire / evict events for the inspected tab, with value diffs and a re-set badge for no-op writes.
  • Diff compares two snapshots of the cookie jar so you can see exactly what a flow added, removed, or changed.

Can I hide sensitive values while screen-sharing?

Yes. Value masking hides cookie values on screen without changing the underlying cookies.

JWT (header / claims / signature), JSON, Base64, and delimited key/value cookies (;=, &=, :=, |:, -_). Values are shown URL-decoded when the round-trip is lossless and re-encoded on save.

Can I edit decoded values?

Delimited key/value and Base64 values are editable in the decoded view; Cookie Lens re-encodes to the original format on save. JWT and JSON are shown read-only — edit them in the Raw tab. Editing a JWT's payload invalidates its signature, so the server will reject it, which is expected.

Smart search also matches decoded forms. When the match is only visible after decoding, a via JWT / via base64 / via URL chip explains why the cookie appeared.

Reports & data

What does the Report view show?

A single security/audit report: a health score plus severity-ranked findings with fixes — missing HttpOnly on sensitive cookies, SameSite=None without Secure, prefix violations, third-party and tracking cookies, likely PII, oversized cookies, duplicate names, and expired or long-lived cookies. It also tracks coverage and how the score moves across saved snapshots.

How do I export or import cookies?

Cookie Lens imports and exports CSV or JSON, with formula-injection guards, size caps, per-cookie failure reporting, and a foreign-domain warning on import. You can also select cookies and Copy as a curl command, a Cookie request header, a fetch() call, or a Playwright storageState, or use Delete All to clear the jar (frozen cookies survive).

Where is my data stored? Does it sync?

Everything is stored locally and nothing syncs. Cookie values live in the inspected tab's cookie jar; preferences and Freeze/Profile/Report snapshots live in local extension storage. See the Privacy Policy for details.

Troubleshooting

Refresh the page, close and reopen DevTools (F12), or restart the browser. Confirm the extension is installed and enabled in chrome://extensions.

My edit didn't stick

The server may re-set the cookie on the next request, or the cookie is server-managed. Use the Activity view to confirm whether the write landed, and Freeze the cookie if you need it to survive server writes.

A JWT shows as invalid

A JWT is header.payload.signature. If any part is malformed it won't decode. Copy the exact value from the Network tab; some tokens use non-standard encoding.

Feedback & support

For bugs or feature requests, use the support link on the Chrome Web Store listing.