Skip to main content
Version: 1.0.1

Features

Cookie Lens is one product on two surfaces. The popup gives you the table and the essentials for the current tab; the DevTools panel adds every view below. The tab bar across the top switches between them: Cookies, Report, Activity, Diff, Profiles, and Frozen.

Inspect & edit

The Cookies view is a dense, sortable table. Each row shows the name, the (decoded) value, and attribute badges — Secure, HttpOnly, SameSite, and a third-party marker. A risk dot flags cookies worth a second look.

  • Sort by name, size, or expiry; scope to first-party, third-party, or pinned; filter by SameSite, Secure, HttpOnly, session/persistent, or domain.
  • Pin cookies you keep coming back to.
  • Click any cookie to open the inline editor — change the value or any attribute (domain, path, expiration, SameSite, Secure, HttpOnly) and save. Changing the path prompts to move the cookie (delete & recreate). The editor also shows Set by Request — which request set the cookie, with its headers.

The Add tab opens a form to create a cookie from scratch: a name, the value, and every attribute — domain, path, SameSite, expiration, and the Secure / HttpOnly / Session flags. The same attribute fields power the inline editor.

Decode structured values

Most interesting cookies aren't plain text. Cookie Lens auto-detects the format and renders the right editor for it. Only the detected format and Raw are offered per cookie, and edits serialize straight back to the original encoding. Values are also shown URL-decoded when the round-trip is lossless (e.g. A%7C1%7CxA|1|x), then re-encoded on save so the stored bytes stay identical.

Delimited key/value — - _

Pairs split on -, key/value on _. Rendered as an editable table.

Query string — & =

The classic key=value&key=value form.

Semicolon — ; =

Pairs split on ;, key/value on =.

Colon — : =

Pairs split on :, key/value on =.

Pipe / colon — | :

Pairs split on |, key/value on :.

JSON

Pretty-printed and read-only — edit the fields in Raw.

Base64

Decoded to its underlying value; re-encoded on save.

JWT

Header, payload (with human-readable timestamps), and signature.

Search matches the raw value and its decoded forms — JWT claims, Base64- and URL-decoded text. When a match is only visible after decoding, a via JWT / via base64 / via URL chip tells you why the cookie surfaced.

Freeze

Freeze pins a cookie's value. A background enforcer watches for changes and instantly reverts any page or server write — or an outright deletion — back to the frozen value. The Frozen view lists every freeze across sites and stores, with search, sort, and one-click unfreeze.

Great for holding a session while a script keeps clobbering it, or locking a feature flag in place while you test.

The Frozen tab is the management view: every frozen cookie across sites and stores, its enforcement status (how many times it's been reverted), search and sort, one-click unfreeze, and Unfreeze all.

Profiles

Save the current cookie set under a name, then switch between scenarios — logged in, guest, admin — in one click. Profiles export and import as a file, and imports are scoped to the current site to prevent session fixation.

Activity

A live "network tab for cookies." The Activity view streams set / update / delete / expire / evict events for the inspected tab, with value diffs and a re-set badge for writes that don't actually change anything.

Diff

Snapshot the cookie jar, run a flow, then compare. Diff shows exactly what was added, removed, and changed between two snapshots — the fastest way to see what a login, checkout, or consent action really did.

Report

The Report view scores your cookies and lists severity-ranked findings with concrete fixes. It's not only security — the audit spans four areas:

  • Security — missing HttpOnly on sensitive cookies, SameSite=None without Secure, __Secure-/__Host- prefix violations, alg:none JWTs.
  • Privacy — third-party and tracking cookies, likely PII, unpartitioned cross-site cookies.
  • Hygiene & size — cookies over 4096 bytes, domains carrying too many or too-large cookies, duplicate names, expired and very long-lived cookies.
  • Coverage & trends — Secure/HttpOnly/SameSite coverage ratios and how the score moves across saved snapshots.

Import & export

Move cookies between environments as CSV or JSON. Exports and imports are hardened: formula-injection guards, size caps, per-cookie failure reporting, and a foreign-domain warning before you import onto the wrong site.

Select rows to act on them in bulk: delete the selection, export just those cookies, or Copy as a ready-to-paste snippet — a curl command, a Cookie: request header, a fetch() call, or a Playwright storageState. Delete All clears the jar in one step and tells you which frozen cookies will survive.

Value masking & incognito

  • Value masking hides sensitive values on screen — safe for screen-sharing and recordings — without altering the cookies themselves.
  • Incognito support works against the separate incognito cookie jar; dead snapshots are purged when the service worker restarts.

See also