Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
set-cookie-parser
Advanced tools
What is set-cookie-parser?
The set-cookie-parser package is a Node.js module that provides utilities for parsing and splitting the Set-Cookie headers found in HTTP responses. It can be used to extract cookie data in a structured format, making it easier to handle cookies in server-side applications.
What are set-cookie-parser's main functionalities?
Parse Set-Cookie Headers
This feature allows you to parse the Set-Cookie header from an HTTP response and convert it into an array of cookie objects.
const setCookie = require('set-cookie-parser');
const cookies = setCookie.parse(responseHeaders);
// responseHeaders should be the Set-Cookie header string or an array of Set-Cookie header strings.Parse Set-Cookie Headers with options
This feature allows you to parse the Set-Cookie header with additional options, such as returning a map of cookies for easier access by cookie name.
const setCookie = require('set-cookie-parser');
const cookies = setCookie.parse(responseHeaders, { map: true });
// responseHeaders should be the Set-Cookie header string or an array of Set-Cookie header strings. The option { map: true } will return an object map of cookies instead of an array.Split a Set-Cookie string
This feature allows you to split a Set-Cookie header string into an array of individual cookie strings, which can then be parsed separately.
const setCookie = require('set-cookie-parser');
const splitCookies = setCookie.splitCookiesString(cookieHeader);
// cookieHeader should be the full Set-Cookie header string.Other packages similar to set-cookie-parser
cookie
The 'cookie' package is used for parsing and serializing cookie headers. It provides similar functionalities for parsing cookies but does not focus exclusively on the Set-Cookie header.
tough-cookie
The 'tough-cookie' package is a more comprehensive solution for handling cookies in Node.js. It includes parsing, serialization, and cookie jar management, which can store and retrieve cookies like a web browser.
cookies
The 'cookies' package is designed to work with Node.js HTTP servers, providing a higher-level API for setting and getting cookies in server-side applications, but it does not specifically focus on parsing Set-Cookie headers.
set-cookie-parser
ℹ️ Note for current users: I'm considering some changes for the next major version and would appreciate your feedback: https://github.com/nfriedly/set-cookie-parser/discussions/68
Parses set-cookie headers into JavaScript objects
Accepts a single set-cookie header value, an array of set-cookie header values, a Node.js response object, or a fetch() Response object that may have 0 or more set-cookie headers.
Also accepts an optional options object. Defaults:
{
decodeValues: true, // Calls decodeURIComponent on each value - default: true
map: false, // Return an object instead of an array - default: false
silent: false, // Suppress the warning that is logged when called on a request instead of a response - default: false
}
Returns either an array of cookie objects or a map of name => cookie object with {map: true}. Each cookie object will have, at a minimum name and value properties, and may have additional properties depending on the set-cookie header:
name- cookie name (string)value- cookie value (string)path- URL path to limit the scope to (string or undefined)domain- domain to expand the scope to (string or undefined, may begin with "." to indicate the named domain or any subdomain of it)expires- absolute expiration date for the cookie (Date object or undefined)maxAge- relative expiration time of the cookie in seconds from when the client receives it (integer or undefined)- Note: when using with express's res.cookie() method, multiply
maxAgeby 1000 to convert to milliseconds.
- Note: when using with express's res.cookie() method, multiply
secure- indicates cookie should only be sent over HTTPs (true or undefined)httpOnly- indicates cookie should not be accessible to client-side JavaScript (true or undefined)sameSite- indicates if cookie should be included in cross-site requests (more info) (string or undefined)- Note: valid values are
"Strict","Lax", and"None", but set-cookie-parser coppies the value verbatim and does not perform any validation.
- Note: valid values are
partitioned- indicates cookie should be scoped to the combination of 3rd party domain + top page domain (more info) (true or undefined)
(The output format is loosely based on the input format of https://www.npmjs.com/package/cookie)
Install
$ npm install --save set-cookie-parser
Usage
Get array of cookie objects
var http = require('http');
var setCookie = require('set-cookie-parser');
http.get('http://example.com', function(res) {
var cookies = setCookie.parse(res, {
decodeValues: true // default: true
});
cookies.forEach(console.log);
}
Example output:
[
{
name: 'bam',
value: 'baz'
},
{
name: 'foo',
value: 'bar',
path: '/',
expires: new Date('Tue Jul 01 2025 06:01:11 GMT-0400 (EDT)'),
maxAge: 1000,
domain: '.example.com',
secure: true,
httpOnly: true,
sameSite: 'lax'
}
]
Get map of cookie objects
var http = require('http');
var setCookie = require('set-cookie-parser');
http.get('http://example.com', function(res) {
var cookies = setCookie.parse(res, {
decodeValues: true, // default: true
map: true // default: false
});
var desiredCookie = cookies['session'];
console.log(desiredCookie);
});
Example output:
{
bam: {
name: 'bam',
value: 'baz'
},
foo: {
name: 'foo',
value: 'bar',
path: '/',
expires: new Date('Tue Jul 01 2025 06:01:11 GMT-0400 (EDT)'),
maxAge: 1000,
domain: '.example.com',
secure: true,
httpOnly: true,
sameSite: 'lax'
}
}
Creating a new, modified set-cookie header
This library can be used in conjunction with the cookie library to modify and replace set-cookie headers:
const libCookie = require('cookie');
const setCookie = require('set-cookie-parser');
function modifySetCookie(res){
// parse the set-cookie headers with this library
let cookies = setCookie.parse(res);
// modify the cookies here
// ...
// create new set-cookie headers using the cookie library
res.headers['set-cookie'] = cookies.map(function(cookie) {
return libCookie.serialize(cookie.name, cookie.value, cookie);
});
}
See a real-world example of this in unblocker
Usage in React Native (and with some other fetch implementations)
React Native follows the Fetch spec more closely and combines all of the Set-Cookie header values into a single string.
The splitCookiesString method reverses this.
var setCookie = require('set-cookie-parser');
var response = fetch(/*...*/);
// This is mainly for React Native; Node.js does not combine set-cookie headers.
var combinedCookieHeader = response.headers.get('Set-Cookie');
var splitCookieHeaders = setCookie.splitCookiesString(combinedCookieHeader)
var cookies = setCookie.parse(splitCookieHeaders);
console.log(cookies); // should be an array of cookies
This behavior may become a default part of parse in the next major release, but requires the extra step for now.
Note that the fetch() spec now includes a getSetCookie() method that provides un-combined Set-Cookie headers. This library will automatically use that method if it is present.
API
parse(input, [options])
Parses cookies from a string, array of strings, or a http response object.
Always returns an array, regardless of input format. (Unless the map option is set, in which case it always returns an object.)
parseString(individualSetCookieHeader, [options])
Parses a single set-cookie header value string. Options default is {decodeValues: true}. Used under-the-hood by parse().
Returns an object.
splitCookiesString(combinedSetCookieHeader)
It's uncommon, but the HTTP spec does allow for multiple of the same header to have their values combined (comma-separated) into a single header.
This method splits apart a combined header without choking on commas that appear within a cookie's value (or expiration date).
Returns an array of strings that may be passed to parse().
References
License
MIT © Nathan Friedly
v2.7.1 - 2024-10-21
- Docs: added link to V3 discussion in readme
FAQs
Parses set-cookie headers into objects
The npm package set-cookie-parser receives a total of 5,263,586 weekly downloads. As such, set-cookie-parser popularity was classified as popular.
We found that set-cookie-parser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Oct 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024