set-cookie-parser
Advanced tools
Parses set-cookie headers into JavaScript objects
Accepts a single set-cookie header value, an array of set-cookie header values, a Node.js response object, or a fetch() Response object that may have 0 or more set-cookie headers.
Returns either an array of cookie objects or a map of name => cookie object with options set {map: true}. Each cookie object will have, at a minimum name and value properties, and may have additional properties depending on the set-cookie header:
name - cookie name (string)value - cookie value (string)path - URL path to limit the scope to (string or undefined)domain - domain to expand the scope to (string or undefined, may begin with "." to indicate the named domain or any subdomain of it)expires - absolute expiration date for the cookie (Date object or undefined)maxAge - relative expiration time of the cookie in seconds from when the client receives it (integer or undefined)
maxAge by 1000 to convert to milliseconds.secure - indicates cookie should only be sent over HTTPs (true or undefined)httpOnly - indicates cookie should not be accessible to client-side JavaScript (true or undefined)sameSite - indicates if cookie should be included in cross-site requests (more info) (string or undefined)
"Strict", "Lax", and "None", but set-cookie-parser copies the value verbatim and does not perform any validation.partitioned - indicates cookie should be scoped to the combination of 3rd party domain + top page domain (more info) (true or undefined)(The output format is loosely based on the input format of https://www.npmjs.com/package/cookie)
$ npm install --save set-cookie-parser
import * as http from 'node:http';
import { parseSetCookie } from 'set-cookie-parser';
// or const { parseSetCookie } = require('set-cookie-parser');
http.get('http://example.com', function(res) {
const cookies = parseSetCookie(res, {
decodeValues: true // default: true
});
cookies.forEach(console.log);
}
Example output:
[
{
name: 'bam',
value: 'baz'
},
{
name: 'foo',
value: 'bar',
path: '/',
expires: new Date('Tue Jul 01 2025 06:01:11 GMT-0400 (EDT)'),
maxAge: 1000,
domain: '.example.com',
secure: true,
httpOnly: true,
sameSite: 'lax'
}
]
import * as http from 'node:http';
import { parseSetCookie } from 'set-cookie-parser';
// or const { parseSetCookie } = require('set-cookie-parser');
http.get('http://example.com', function(res) {
const cookies = parseSetCookie(res, {
decodeValues: true, // default: true
map: true // default: false
});
const desiredCookie = cookies['session'];
console.log(desiredCookie);
});
Example output:
{
bam: {
name: 'bam',
value: 'baz'
},
foo: {
name: 'foo',
value: 'bar',
path: '/',
expires: new Date('Tue Jul 01 2025 06:01:11 GMT-0400 (EDT)'),
maxAge: 1000,
domain: '.example.com',
secure: true,
httpOnly: true,
sameSite: 'lax'
}
}
This library can be used in conjunction with the cookie library to modify and replace set-cookie headers:
import * as libCookie from 'cookie';
import { parseSetCookie } from 'set-cookie-parser';
// or const { parseSetCookie } = require('set-cookie-parser');
function modifySetCookie(res){
// parse the set-cookie headers with this library
const cookies = parseSetCookie(res);
// modify the cookies here
// ...
// create new set-cookie headers using the cookie library
res.headers['set-cookie'] = cookies.map(function(cookie) {
return libCookie.serialize(cookie.name, cookie.value, cookie);
});
}
See a real-world example of this in unblocker
Parses cookies from a string, array of strings, or a http response object.
Always returns an array, regardless of input format. (Unless the map option is set, in which case it always returns an object.)
Also accepts an optional options object. Defaults:
{
decodeValues: true, // Calls decodeURIComponent on each value - default: true
map: false, // Return an object instead of an array - default: false
silent: false, // Suppress the warning that is logged when called on a request instead of a response - default: false
split: 'auto', // Separate combined cookie headers. Valid options are true/false/'auto'. 'auto' splits strings but not arrays.
}
MIT © Nathan Friedly
The 'cookie' package is used for parsing and serializing cookie headers. It provides similar functionalities for parsing cookies but does not focus exclusively on the Set-Cookie header.
The 'tough-cookie' package is a more comprehensive solution for handling cookies in Node.js. It includes parsing, serialization, and cookie jar management, which can store and retrieve cookies like a web browser.
The 'cookies' package is designed to work with Node.js HTTP servers, providing a higher-level API for setting and getting cookies in server-side applications, but it does not specifically focus on parsing Set-Cookie headers.
FAQs
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Since January 31, 2026, we identified at least 72 additional malicious Open VSX extensions, including transitive GlassWorm loader extensions targeting developers.
Research
Six malicious Packagist packages posing as OphimCMS themes contain trojanized jQuery that exfiltrates URLs, injects ads, and loads FUNNULL-linked redirects.
Security News
The GCVE initiative operated by CIRCL has officially opened its publishing ecosystem, letting organizations issue and share vulnerability identifiers without routing through a central authority.