// HTTP Cookie Tool
Paste any cookie string or Set-Cookie header to decode Base64, URL-encoded, JWT, and JSON values. Detects known cookies like _ga, PHPSESSID, and session tokens automatically.
HTTP cookies are key-value pairs sent by a server via the Set-Cookie header and returned by the browser in every subsequent request via the Cookie header. The cookie string you see in DevTools or HTTP captures is a semicolon-separated list of key=value pairs.
Cookie encoding formats
Cookie values are not transmitted as raw data — they are typically encoded to ensure safe transport. URL encoding (percent-encoding) replaces special characters: spaces become %20, equals signs %3D. Base64 encodes binary or JSON data as ASCII text — recognizable by the == padding at the end. JWT (JSON Web Token) is three Base64-encoded segments separated by dots (header.payload.signature) — the payload contains claims in JSON format. Some frameworks encode entire JSON objects in Base64 for session storage.
Common known cookies and what they mean
_ga — Google Analytics visitor ID. Format: GA1.2.XXXXXXXXXX.XXXXXXXXXX. _gid — Google Analytics session ID, expires after 24 hours. PHPSESSID — PHP session identifier, 26-32 hex chars. connect.sid — Express/Node.js session cookie, Base64-encoded signed value. JSESSIONID — Java servlet session ID. __utma — Legacy Google Analytics. cf_clearance — Cloudflare challenge clearance. _fbp — Facebook pixel browser ID.
Cookie decoding vs cookie decryption
Decoding reverses an encoding scheme (Base64, URL encoding) — no secret key is needed. Decryption reverses encryption (AES, RSA) — requires the server's secret key. Most session cookies are encoded, not encrypted — making them decodable client-side. Flask session cookies are Base64-encoded and signed but not encrypted (you can decode the JSON payload without the key). Truly encrypted cookies (Rails encrypted cookies, .NET Data Protection tokens) cannot be decoded without the server key.