Features
Cookie Lens is one product on two surfaces. The popup gives you the table and the essentials for the current tab; the DevTools panel adds every view below. The tab bar across the top switches between them: Cookies, Report, Activity, Diff, Profiles, and Frozen.
Inspect & edit
The Cookies view is a dense, sortable table. Each row shows the name, the (decoded) value, and attribute badges — Secure, HttpOnly, SameSite, and a third-party marker. A risk dot flags cookies worth a second look.
- Sort by name, size, or expiry; scope to first-party, third-party, or pinned; filter by SameSite, Secure, HttpOnly, session/persistent, or domain.
- Pin cookies you keep coming back to.
- Click any cookie to open the inline editor — change the value or any attribute (domain, path, expiration, SameSite, Secure, HttpOnly) and save. Changing the path prompts to move the cookie (delete & recreate). The editor also shows Set by Request — which request set the cookie, with its headers.
Add a cookie
The Add tab opens a form to create a cookie from scratch: a name, the value, and every attribute — domain, path, SameSite, expiration, and the Secure / HttpOnly / Session flags. The same attribute fields power the inline editor.
Decode structured values
Most interesting cookies aren't plain text. Cookie Lens auto-detects the
format and renders the right editor for it. Only the detected format and Raw
are offered per cookie, and edits serialize straight back to the original
encoding. Values are also shown URL-decoded when the round-trip is lossless
(e.g. A%7C1%7Cx → A|1|x), then re-encoded on save so the stored bytes stay
identical.
Delimited key/value — - _
Pairs split on -, key/value on _. Rendered as an editable table.
Query string — & =
The classic key=value&key=value form.
Semicolon — ; =
Pairs split on ;, key/value on =.
Colon — : =
Pairs split on :, key/value on =.
Pipe / colon — | :
Pairs split on |, key/value on :.
JSON
Pretty-printed and read-only — edit the fields in Raw.
Base64
Decoded to its underlying value; re-encoded on save.
JWT
Header, payload (with human-readable timestamps), and signature.
Smart search
Search matches the raw value and its decoded forms — JWT claims, Base64- and
URL-decoded text. When a match is only visible after decoding, a
via JWT / via base64 / via URL chip tells you why the cookie surfaced.
Freeze
Freeze pins a cookie's value. A background enforcer watches for changes and instantly reverts any page or server write — or an outright deletion — back to the frozen value. The Frozen view lists every freeze across sites and stores, with search, sort, and one-click unfreeze.
Great for holding a session while a script keeps clobbering it, or locking a feature flag in place while you test.
The Frozen tab is the management view: every frozen cookie across sites and stores, its enforcement status (how many times it's been reverted), search and sort, one-click unfreeze, and Unfreeze all.
Profiles
Save the current cookie set under a name, then switch between scenarios — logged in, guest, admin — in one click. Profiles export and import as a file, and imports are scoped to the current site to prevent session fixation.
Activity
A live "network tab for cookies." The Activity view streams
set / update / delete / expire / evict events for the inspected tab, with value
diffs and a re-set badge for writes that don't actually change anything.
Diff
Snapshot the cookie jar, run a flow, then compare. Diff shows exactly what was added, removed, and changed between two snapshots — the fastest way to see what a login, checkout, or consent action really did.
Report
The Report view scores your cookies and lists severity-ranked findings with concrete fixes. It's not only security — the audit spans four areas:
- Security — missing
HttpOnlyon sensitive cookies,SameSite=NonewithoutSecure,__Secure-/__Host-prefix violations,alg:noneJWTs. - Privacy — third-party and tracking cookies, likely PII, unpartitioned cross-site cookies.
- Hygiene & size — cookies over 4096 bytes, domains carrying too many or too-large cookies, duplicate names, expired and very long-lived cookies.
- Coverage & trends — Secure/HttpOnly/SameSite coverage ratios and how the score moves across saved snapshots.
Import & export
Move cookies between environments as CSV or JSON. Exports and imports are hardened: formula-injection guards, size caps, per-cookie failure reporting, and a foreign-domain warning before you import onto the wrong site.
Select rows to act on them in bulk: delete the selection, export just
those cookies, or Copy as a ready-to-paste snippet — a curl command, a
Cookie: request header, a fetch() call, or a Playwright storageState.
Delete All clears the jar in one step and tells you which frozen cookies
will survive.
Value masking & incognito
- Value masking hides sensitive values on screen — safe for screen-sharing and recordings — without altering the cookies themselves.
- Incognito support works against the separate incognito cookie jar; dead snapshots are purged when the service worker restarts.