The 'cookies' npm package is a Node.js module for handling browser cookies on the server side. It allows you to get and set HTTP cookies with a simple API, providing a way to manage session data and track user information across requests.
Get a cookie
This feature allows you to retrieve the value of a cookie named 'LastVisit' from an incoming HTTP request.
const Cookies = require('cookies');
const cookies = new Cookies(req, res);
const lastVisit = cookies.get('LastVisit');Set a cookie
This feature allows you to set a cookie with the name 'Name' and value 'Value', with additional options such as 'httpOnly' and 'secure' flags.
const Cookies = require('cookies');
const cookies = new Cookies(req, res);
cookies.set('Name', 'Value', { httpOnly: true, secure: true });Set a cookie with expiration
This feature allows you to set a cookie that will expire one week from the current date.
const Cookies = require('cookies');
const cookies = new Cookies(req, res);
const oneWeekLater = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
cookies.set('SessionToken', 'tokenValue', { expires: oneWeekLater });A popular middleware for Express.js that parses cookies attached to the client request object. It is similar to 'cookies' but is specifically designed to integrate with Express.js applications.
A robust package for handling cookies in Node.js. It offers a more comprehensive API for cookie manipulation, including parsing, serialization, and jar (cookie container) support, which can be more suitable for complex use cases compared to the simpler API of 'cookies'.
A simple HTTP cookie parser and serializer for Node.js. It provides basic functionality for parsing and serializing cookies, similar to 'cookies', but without the additional features like setting cookies with options directly in the response object.
Cookies is a node.js module for getting and setting HTTP(S) cookies. Cookies can be signed to prevent tampering, using Keygrip. It can be used with the built-in node.js HTTP library, or as Connect/Express middleware.
$ npm install cookies
Lazy: Since cookie verification against multiple keys could be expensive, cookies are only verified lazily when accessed, not eagerly on each request.
Secure: All cookies are httponly by default, and cookies sent over SSL are secure by default. An error will be thrown if you try to send secure cookies over an insecure socket.
Unobtrusive: Signed cookies are stored the same way as unsigned cookies, instead of in an obfuscated signing format. An additional signature cookie is stored for each signed cookie, using a standard naming convention (cookie-name.sig). This allows other libraries to access the original cookies without having to know the signing mechanism.
Agnostic: This library is optimized for use with Keygrip, but does not require it; you can implement your own signing scheme instead if you like and use this library only to read/write cookies. Factoring the signing into a separate library encourages code reuse and allows you to use the same signing library for other areas where signing is needed, such as in URLs.
This creates a cookie jar corresponding to the current request and response. A Keygrip object can optionally be passed as the third argument keygrip to enable cryptographic signing based on SHA1 HMAC, using rotated credentials.
Note that since this only saves parameters without any other processing, it is very lightweight. Cookies are only parsed on demand when they are accessed.
This adds cookie support as a Connect middleware layer for use in Express apps, allowing inbound cookies to be read using req.cookies.get and outbound cookies to be set using res.cookies.set.
This extracts the cookie with the given name from the Cookie header in the request. If such a cookie exists, its value is returned. Otherwise, nothing is returned.
{ signed: true } can optionally be passed as the second parameter options. In this case, a signature cookie (a cookie of same name ending with the .sig suffix appended) is fetched. If no such cookie exists, nothing is returned.
If the signature cookie does exist, the provided Keygrip object is used to check whether the hash of cookie-name=cookie-value matches that of any registered key:
This sets the given cookie in the response and returns the current context to allow chaining.
If the value is omitted, an outbound header with an expired date is used to delete the cookie.
If the options object is provided, it will be used to generate the outbound cookie header as follows:
maxage: a number representing the milliseconds from Date.now() for expiryexpires: a Date object indicating the cookie's expiration date (expires at the end of session by default).path: a string indicating the path of the cookie (/ by default).domain: a string indicating the domain of the cookie (no default).secure: a boolean indicating whether the cookie is only to be sent over HTTPS (false by default for HTTP, true by default for HTTPS).secureProxy: a boolean indicating whether the cookie is only to be sent over HTTPS (use this if you handle SSL not in your node process).httpOnly: a boolean indicating whether the cookie is only to be sent over HTTP(S), and not made available to client JavaScript (true by default).signed: a boolean indicating whether the cookie is to be signed (false by default). If this is true, another cookie of the same name with the .sig suffix appended will also be sent, with a 27-byte url-safe base64 SHA1 value representing the hash of cookie-name=cookie-value against the first Keygrip key. This signature key is used to detect tampering the next time a cookie is received.overwrite: a boolean indicating whether to overwrite previously set cookies of the same name (false by default). If this is true, all cookies set during the same request with the same name (regardless of path or domain) are filtered out of the Set-Cookie header when setting this cookie.var http = require( "http" )
var Cookies = require( "cookies" )
server = http.createServer( function( req, res ) {
var cookies = new Cookies( req, res, keys )
, unsigned, signed, tampered
if ( req.url == "/set" ) {
cookies
// set a regular cookie
.set( "unsigned", "foo", { httpOnly: false } )
// set a signed cookie
.set( "signed", "bar", { signed: true } )
// mimic a signed cookie, but with a bogus signature
.set( "tampered", "baz" )
.set( "tampered.sig", "bogus" )
res.writeHead( 302, { "Location": "/" } )
return res.end( "Now let's check." )
}
unsigned = cookies.get( "unsigned" )
signed = cookies.get( "signed", { signed: true } )
tampered = cookies.get( "tampered", { signed: true } )
assert.equal( unsigned, "foo" )
assert.equal( signed, "bar" )
assert.notEqual( tampered, "baz" )
assert.equal( tampered, undefined )
res.writeHead( 200, { "Content-Type": "text/plain" } )
res.end(
"unsigned expected: foo\n\n" +
"unsigned actual: " + unsigned + "\n\n" +
"signed expected: bar\n\n" +
"signed actual: " + signed + "\n\n" +
"tampered expected: undefined\n\n"+
"tampered: " + tampered + "\n\n"
)
})
Copyright (c) 2012 Jed Schmidt. See LICENSE.txt for details.
Send any questions or comments here.
FAQs
Cookies, optionally signed using Keygrip.
The npm package cookies receives a total of 1,801,083 weekly downloads. As such, cookies popularity was classified as popular.
We found that cookies demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.