Skip to content
Secure cookie-based session middleware for Connect
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
deps Update nodeunit to fix tests Mar 6, 2011
lib Added optional domain parameter to allow control of subdomain scope Jan 10, 2012
test Added optional domain parameter to allow control of subdomain scope Jan 10, 2012
.gitmodules code so far Jul 28, 2010
LICENSE added LICENSE Oct 10, 2010
index.js added index.js Jul 28, 2010
package.json Minor change in package.json to comply to new npm policies Nov 15, 2011
test.js code so far Jul 28, 2010


Secure cookie-based session middleware for Connect. This is a new module and I wouldn't recommend for production use just yet.

Session data is stored on the request object in the 'session' property:

var connect = require('connect'),
    sessions = require('cookie-sessions');

    sessions({secret: '123abc'}),
    function(req, res, next){
        req.session = {'hello':'world'};
        res.writeHead(200, {'Content-Type':'text/plain'});
        res.end('session data updated');

The session data is JSON.stringified, encrypted and timestamped, then a HMAC signature is attached to test for tampering. The main function accepts a number of options:

* secret -- The secret to encrypt the session data with
* timeout -- The amount of time in miliseconds before the cookie expires
  (default: 24 hours)
* session_key -- The cookie key name to store the session data in
  (default: _node)
* path -- The path to use for the cookie (default: '/')
* domain -- (optional) Define a specific domain/subdomain scope for the cookie

Why store session data in cookies?

  • Its fast, you don't need to hit the filesystem or a database to look up session data
  • It scales easily. You don't need to worry about sticky-sessions when load-balancing across multiple nodes.
  • No server-side persistence requirements


  • You can only store 4k of data in a cookie
  • Higher-bandwidth requirements, since the cookie is sent to the server with every request.

In summary: don't use cookie storage if you keep a lot of data in your sessions!

You can’t perform that action at this time.