Skip to content
This repository has been archived by the owner on Mar 4, 2024. It is now read-only.
/ cookie-sessions Public archive
forked from caolan/cookie-sessions

Secure cookie-based session middleware for Express

License

MIT license
4 stars 38 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

auth0/cookie-sessions

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
lib
lib
 
 
test
test
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.js
index.js
 
 
opslevel.yml
opslevel.yml
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Cookie-Sessions

Secure cookie-based session middleware for Express.

Session data is stored on the request object in the 'session' property:

  var app = require('express');
  var cookieParser = require('cookie-parser');
  var cookieSessions = require('cookie-sessions');

  app.use(
    cookieSessions({
      name: 'session_data',
      secret: process.env.SECRET
    })
  );

The cookie-parser middleware MUST also used.

The session data can be any JSON object. It's timestamped, encrypted and authenticated automatically. The authenticated encryption uses aes-256-gcm offered by the node crypto library. The httpOnly and secure cookie flags are set by default.

The main function accepts a number of options:

Option Required Description Default
secret Yes The secret to encrypt the session data.
timeout Yes The amount of time in milliseconds before the cookie expires. 24 hours
name Yes The cookie name in which to store the session data. \_node
path Yes The path to use for the cookie. /
domain No Define a specific domain/subdomain scope for the cookie.
autoRenew No Boolean: if true, a new cookie will be set in each response with an updated expiration Date.now() + timeout true
httpOnly No Boolean: if true, the httpOnly cookie flag will be set. true
secure No Boolean: if true, the secure cookie flag will be set. true
sameSite No If set to "lax" or "strict", the sameSite cookie flag with the corresponding mode will be set.
sessionCookie No Boolean: if true, it's considered a session cookie and no "expires" is set.

Why store session data in cookies?

  • Its fast, you don't need to hit the filesystem or a database to look up session data
  • It scales easily. You don't need to worry about sticky-sessions when load-balancing across multiple nodes.
  • No server-side persistence requirements

Caveats

  • You can only store 4k of data in a cookie
  • Higher-bandwidth requirements, since the cookie is sent to the server with every request.

In summary: don't use cookie storage if you keep a lot of data in your sessions!

Migrating to version 1.0.0

  • Any cookie created with 0.0.2 version will be invalidated.
  • The options object has two naming changes:
    • name instead of session_key
    • sessionCookie instead of session_cookie
  • The following exported functions have been removed:
    • readSession
    • readCookies
    • checkLength
    • headersToArray
    • hmac_signature

About

Secure cookie-based session middleware for Express

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

4 stars

Watchers

4 watching

Forks

7 forks
Report repository

Releases 2

Updates lodash Latest
Jul 18, 2019
+ 1 release

Packages

 
 
 

Languages

  • JavaScript 100.0%