Skip to main content
Version: 1.0.1

Set by Request

Set by Request answers the question "where did this cookie come from?". For each cookie, Cookie Lens attributes it to the network response that set or updated it — so you can tell a server-set cookie from one written by page JavaScript, and jump straight to the request responsible.

It works by observing Set-Cookie response headers (the webRequest permission, granted on install). Attribution is automatic — there's nothing to enable — but it only sees sites you've granted host access to, and it starts capturing when the panel opens.

Where to find it

  1. Open the Cookie Lens panel (or popup) and click a cookie to open its editor.
  2. Scroll to the Set by Request section at the bottom of the editor.

If a request was captured, you'll see one entry per response that touched the cookie, newest first.

What each entry shows

  • Method + URL — the request that set the cookie (e.g. POST /login). The URL is a link.
  • Timestamp — when the response arrived.
  • Response headers (expand the entry) — the Set-Cookie line(s) that set this cookie, alongside the other response headers, so you can see the exact attributes the server sent (Path, SameSite, Max-Age, Secure, …).

If no request was captured, the entry reads "No request captured — set by the page or another tool" (or set manually if you set it from Cookie Lens). That absence is itself a signal: the cookie came from document.cookie, another extension, or was set before the panel opened.

When to use it

  • Server vs. client cookies — instantly tell whether a cookie was set by a Set-Cookie response or by page JavaScript.
  • Debug auth flows — after logging in, open the session cookie and confirm which endpoint issued it, and with what flags.
  • Catch mismatches — the server's intended Set-Cookie attributes (in the captured headers) versus what actually landed in the jar (the editor's attribute fields).
  • Find the culprit — when a cookie keeps reappearing, the attributed request tells you which call re-sets it. Pair it with Freeze to hold your value in place, or watch it happen live in the Activity feed.

Notes

  • Attribution needs host access for the site (requested per site, from your click) and only covers responses seen after the panel opened — reload the page to attribute cookies set on load.
  • Everything stays on your device; the captured request metadata lives in session memory and is cleared on browser restart. See the Privacy Policy.

See Also