𝟱 𝗖𝗼𝗼𝗸𝗶𝗲 𝗧𝗿𝗶𝗰𝗸𝘀 𝗳𝗼𝗿 𝗗𝗲𝗯𝘂𝗴𝗴𝗶𝗻𝗴 𝗔𝘂𝘁𝗵 𝗜𝘀𝘀𝘂𝗲𝘀
Debugging authentication in web apps is slow. You often waste time creating new accounts or clearing all cookies to test different user types.
You can test any state without touching your database. Use these five techniques to manipulate cookies directly.
- Target specific cookies instead of clearing everything
Clearing all cookies destroys your dev server session, local storage, and Stripe test modes. Instead, delete only the auth cookie.
Common names include:
- session
- sid
- auth_token
- _session_id
In DevTools, go to Application > Cookies > [your domain]. Right-click the session cookie and select Delete. This resets the user state to logged-out while keeping your other settings intact.
- Simulate new users by deleting onboarding flags
Apps use cookies to track if a user finished setup. Look for names like onboarding_complete or first_visit.
To test the new user flow:
- Export your current cookies.
- Delete the onboarding flag.
- Reload the page.
This lets you test progressive UI branches without a new account.
- Switch user roles in 30 seconds using snapshots
If your app has different roles like Admin or Guest, do not log in and out manually. Use cookie snapshots.
- Log in as Admin. Export the cookies as admin-session.json.
- Log in as a Regular User. Export them as user-session.json.
- To switch roles, simply import the JSON file and reload.
The server trusts the session token. You are using valid sessions you already created. Keep these JSON files local. They contain sensitive session tokens.
- Test expired sessions instantly
Do not wait hours for a session to die. Change the expiry date manually.
In DevTools, double-click the Expires column for your session cookie. Set it to a date in the past. Reload the page. You will see exactly what happens when a session times out.
- Fix login redirect loops
Loops often happen because of a stale or malformed cookie. The session exists but the server rejects it.
To find the cause:
- Identify all auth-related cookies.
- Delete them one by one.
- Reload after each deletion.
The moment the loop stops, you found the broken cookie. This helps you identify if the issue is a bad token or an incorrect cookie domain.
These methods work even for HttpOnly cookies because DevTools and extensions like CookieJar operate at the browser level.