In most cases — yes, should be able to detect all of the cookies set on a website. Exceptions are listed below:

  • will load the page as an anonymous user and will only receive cookies intended for such users. It's quite common (and it's actually good security practice) to set session cookies after the user has authenticated — and these cookies we will not be recorded. If you would be interested in authenticated scans, please contact us.
  • A website can display different cookies on different pages. You need to understand technology used to build different parts of your website to know which pages to test and then submit all the URL where representative cookies are being set.
  • Websites use many technologies to store data on user's browsers and the list is much broader than the traditional HTTP cookies. makes best effort to capture all of the available storage techniques (includes non-HTTP cookies) but obviously it cannot be always guaranteed to be 100% effective. For example, as of now Silverlight cookies are not yet supported.