How to Inspect Cookies
Opening Cookie Lens
Cookie Lens has two surfaces:
- Popup — click the Cookie Lens icon in the toolbar to see cookies for the current tab.
- DevTools panel — press
F12(Windows/Linux) orCmd+Option+I(Mac), then open the Cookie Lens tab. The panel adds the Report, Activity, Diff, Profiles, and Frozen views.
The first time you inspect a site, grant host access when prompted — it's requested per site, from your click.
Understanding the Cookie List
The DevTools panel shows a dense, sortable table; the popup shows a compact list of the same cookies. Each row represents one cookie:
- Name — the cookie identifier (e.g.
sid,prefs,_ga). - Value — the current value, decoded for display and truncated if long. The panel table has a dedicated value column; in the compact popup, the full value opens in the editor.
- Badges — attribute flags: Secure, HttpOnly, and SameSite. The panel table also marks third-party cookies and shows a risk dot for cookies worth a closer look.
Click any cookie row to open its inline editor with the full value, every attribute, and its size in bytes.
Searching Cookies
Type in the search box to filter instantly. Search matches:
- the name —
sid,auth, - the domain —
.example.com, - the raw value — part of a session id or token, and
- the decoded value — a JWT claim, or Base64/URL-decoded text.
When a match is only visible after decoding, a via JWT / via base64 / via URL
chip explains why the cookie surfaced. See
Parsing & Decoding Values for what gets decoded.
Scope & Filters
Narrow the list to what matters:
- Scope — all, first-party, third-party, or pinned.
- Filters — Secure, HttpOnly, SameSite (Strict / Lax / None), session vs persistent, and domain.
Sorting Cookies
Sort the table by:
- Name — alphabetical.
- Size — largest first (find bloated cookies).
- Expiry — soonest first.
Click a sort control again to reverse the order.
Pinning Cookies
Pin cookies you keep returning to — auth tokens, feature flags, a preference you're debugging — and they stay at the top of the list. Click the pin again to unpin.
To keep a cookie from being changed or deleted at all, use Freeze instead of pinning — see Freezing Cookies.
Understanding Cookie Attributes
Domain
.example.com— accessible fromexample.comand all subdomains.example.com— accessible only from the exact domain.
Path
/— the entire site (most common)./admin— only under/admin/....
Secure
- Enabled — only sent over HTTPS.
- Disabled — sent over HTTP too (risky on untrusted networks).
HttpOnly
- Enabled — JavaScript cannot read it (protects against XSS).
- Disabled — JavaScript can read and modify it.
SameSite
- Strict — only sent in same-site requests (most restrictive).
- Lax — sent on top-level navigation, not cross-site (the modern default).
- None — sent in all requests; requires the Secure flag.
- Unspecified — browser default (treated as Lax).
Expiration
- Session — expires when the browser closes.
- Date/time — expires at a specific moment.
- Expired — already past expiry.
Auditing at a Glance
For a whole-site view of security, privacy, expiry, and size, open the Report view — it scores every cookie and lists ranked findings with fixes. See Reports & Analysis.
See Also
- Editing Cookies — modify values and attributes.
- Parsing Values — decode structured values.
- Freezing Cookies — protect a value from changes.
- Reports & Analysis — analyze security and privacy.