Cookie Signer Unsigner
Sign and unsign HTTP cookie values using HMAC-SHA256 for secure session management and data integrity verification
Input
Output
Readme
What is cookie signing?
Cookie signing is a security technique that adds a cryptographic signature to cookie values, ensuring their integrity and authenticity. When a server sends a cookie to a browser, it appends a hash-based message authentication code (HMAC) to the cookie's value. This signature is created using a secret key known only to the server. When the browser sends the cookie back, the server can verify the signature to confirm the cookie hasn't been tampered with.
How does HMAC-SHA1 signing work?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a unique signature. For cookie signing, the process works as follows:
Signing: The original cookie value is combined with a secret key using the HMAC-SHA1 algorithm, producing a signature. The final signed cookie format is
value.signature, where the signature is base64url-encoded.Verification: When receiving a signed cookie, the server extracts the original value and signature, recalculates the expected signature using the same secret key, and compares them using a timing-safe comparison to prevent timing attacks.
Why use signed cookies?
Unsigned cookies can be easily modified by users or malicious scripts. A user could change their session ID, user role, or other sensitive data stored in cookies. Signed cookies prevent this by making any modification detectable—if the value changes, the signature becomes invalid.
Tool description
This tool allows you to sign and unsign cookie values using HMAC-SHA1 signatures, compatible with the popular cookie-signature npm package format. Enter your cookie value and secret key to generate a signed cookie, or paste a signed cookie to extract and verify its original value.
Examples
Signing a cookie:
| Input (Unsigned) | Secret Key | Output (Signed) |
|---|---|---|
user123 |
my-secret-key |
user123.SNk0sCiCAuZ5cwj0lNdJfUgwqU4 |
session_abc |
app-secret |
session_abc.sBzU4FZRe3BfgNWZQB4viGTH37A |
Unsigning a cookie:
| Input (Signed) | Secret Key | Output (Unsigned) |
|---|---|---|
test.sOx9vuKRxxXdUOK0uLcAQ4CIORo |
password |
test |
Invalid signature detection:
If you try to unsign a cookie with the wrong secret key or a tampered value, the tool will display an "Invalid signature" error.
Features
- Sign cookies with HMAC-SHA1 using any secret key
- Unsign and verify signed cookies to extract original values
- Timing-safe comparison prevents timing attacks during verification
- Compatible format with Node.js
cookie-signaturepackage - Browser-based processing using Web Crypto API—no data sent to servers
Use cases
- Testing Express.js sessions: Verify that your Express session cookies are properly signed and can be decoded with your secret key
- Debugging authentication issues: Extract the original value from signed cookies to troubleshoot login or session problems
- Security auditing: Verify that cookie signatures are working correctly in your web application
- Learning cryptography: Understand how HMAC-based cookie signing works in practice
- Migration testing: Ensure cookie compatibility when changing secret keys or migrating between frameworks