Features
Cookie Lens is one product on two surfaces. The popup gives you the table and the essentials for the current tab; the DevTools panel adds every view below. The tab bar across the top switches between them: Cookies, Report, Activity, Diff, Profiles, and Frozen.
Inspect & edit
The Cookies view is a dense, sortable table. Each row shows the name, the (decoded) value, and attribute badges — Secure, HttpOnly, SameSite, and a third-party marker. A risk dot flags cookies worth a second look.
- Sort by name, size, or expiry; scope to first-party, third-party, or pinned; filter by SameSite, Secure, HttpOnly, session/persistent, or domain.
- Pin cookies you keep coming back to.
- Click any cookie to open the inline editor — change the value or any attribute (domain, path, expiration, SameSite, Secure, HttpOnly) and save. Changing the path prompts to move the cookie (delete & recreate). The editor also shows Set by Request — which request set the cookie, with its headers.
Add a cookie
The Add tab opens a form to create a cookie from scratch: a name, the value, and every attribute — domain, path, SameSite, expiration, and the Secure / HttpOnly / Session flags. The same attribute fields power the inline editor.
Page scope
New in 1.1.0Show only this page's cookies (Settings, on by default) narrows every
surface — the list, stats, search, Delete All, export, import, Activity, Diff,
Report and Profiles — to the cookies that actually apply to the current page
(RFC 6265 domain matching: the exact host plus dotted parent domains like
.site.com). Sibling subdomains' cookies (e.g. api.site.com while you're on
www.site.com) no longer clutter the list — or get swept by Delete All. Uncheck
the box to manage the whole site as before; the choice is remembered.
Writes that page scope would make invisible ask first: importing a file or loading a profile with out-of-scope entries confirms up front, and the Add form warns before it creates a cookie that wouldn't show on this page.
Decode structured values
Most interesting cookies aren't plain text. Cookie Lens auto-detects the
format and renders the right editor for it. Only the detected format and Raw
are offered per cookie, and edits serialize straight back to the original
encoding. Values are also shown URL-decoded when the round-trip is lossless
(e.g. A%7C1%7Cx → A|1|x), then re-encoded on save so the stored bytes stay
identical.
Delimited key/value — - _
Pairs split on -, key/value on _. Rendered as an editable table.
Query string — & =
The classic key=value&key=value form.
Semicolon — ; =
Pairs split on ;, key/value on =.
Colon — : =
Pairs split on :, key/value on =.
Pipe / colon — | :
Pairs split on |, key/value on :.
JSON
Pretty-printed and read-only — edit the fields in Raw.
Base64
Decoded to its underlying value; re-encoded on save.
JWT
Header, payload (with human-readable timestamps), and signature.
Smart search
Search matches the raw value and its decoded forms — JWT claims, Base64- and
URL-decoded text. When a match is only visible after decoding, a
via JWT / via base64 / via URL chip tells you why the cookie surfaced.
Freeze
Freeze pins a cookie's value. A background enforcer watches for changes and instantly reverts any page or server write — or an outright deletion — back to the frozen value. The Frozen view lists every freeze across sites and stores, with search, sort, and one-click unfreeze.
Great for holding a session while a script keeps clobbering it, or locking a feature flag in place while you test.
The Frozen tab is the management view: every frozen cookie across sites and stores, its enforcement status (how many times it's been reverted), search and sort, one-click unfreeze, and Unfreeze all.
Profiles
Save the current cookie set under a name, then switch between scenarios — logged in, guest, admin — in one click. Profiles export and import as a file, and imports are scoped to the current site to prevent session fixation.
Activity
A live "network tab for cookies." The Activity view streams
set / update / delete / expire / evict events for the inspected tab, with value
diffs and a re-set badge for writes that don't actually change anything.
New in 1.1.0 It also surfaces rejected cookies — a Set-Cookie the browser silently
dropped so it never reached the jar (invisible in the Application tab) — with
the exact reason: SameSite=None without Secure, a __Host-/__Secure-
prefix violation, over the 4096-byte limit, a Domain= the host can't set, or
likely blocked as a third-party cookie — add Partitioned (CHIPS). An action
filter narrows the feed to just the event kinds you care about
(Set / Update / Delete / Expired / Evicted / Rejected).
Diff
Snapshot the cookie jar, run a flow, then compare. Diff shows exactly what was added, removed, and changed between two snapshots — the fastest way to see what a login, checkout, or consent action really did.
Report
The Report view scores your cookies and lists severity-ranked findings with concrete fixes. It's not only security — the audit spans several areas:
- Security — missing
HttpOnlyon sensitive cookies,SameSite=NonewithoutSecure,__Secure-/__Host-prefix violations,alg:noneJWTs. - Privacy — third-party and tracking cookies, likely PII, unpartitioned cross-site cookies.
- Rolling-expiry trackers 1.1.0 — cookies that keep pushing their own expiration forward, effectively permanent. Two signals catch them: a value that stays put while the expiry advances, or a constant lifetime sliding forward even as the value rotates every visit (a "Rolling" / "Sliding" badge appears in the list too). Only a non-reversible hash of the value is stored, never the value.
- Consent (GDPR) 1.1.0 — reads the consent manager's own cookie (OneTrust, Cookiebot, CookieYes, Osano, Didomi, IAB TCF) — no page injection — and flags analytics/advertising cookies present despite a rejected category, or written before the consent moment. The Activity feed marks the "consent recorded" point and the offending writes.
- Hygiene & size — cookies over 4096 bytes, domains carrying too many or too-large cookies, duplicate names, expired and very long-lived cookies.
- Coverage & trends — Secure/HttpOnly/SameSite coverage ratios and how the score moves across saved snapshots.
Reach explainer
New in 1.1.0"Why isn't my cookie on this request?" — answered without digging through the
Network tab. Enter a target URL and Cookie Lens shows, per cookie, whether it
would be sent or held back, and exactly why a held-back cookie is
excluded: SameSite, Secure, domain, or path.
Import & export
Move cookies between environments as CSV or JSON. Exports and imports are hardened: formula-injection guards, size caps, per-cookie failure reporting, and a foreign-domain warning before you import onto the wrong site.
Select rows to act on them in bulk: delete the selection, export just
those cookies, or Copy as a ready-to-paste snippet — a curl command, a
Cookie: request header, a fetch() call, or a Playwright storageState.
Delete All clears the jar in one step and tells you which frozen cookies
will survive.
Value masking, site access & incognito
- Value masking blurs sensitive values on screen — safe for screen-sharing and recordings — without altering the cookies themselves (hover to reveal).
- Site access 1.1.0 — host access is granted per site, only from your click. Settings lists every site you've granted and lets you revoke any of them in one click, so access never quietly piles up.
- Incognito support works against the separate incognito cookie jar; its snapshots are purged when the private window closes, so nothing outlives the session.