Secure cookie-based session middleware for Connect
Latest commit 12f63d4 Feb 13, 2012 @caolan Merge pull request #20 from richmarr/master
Added domain option
Failed to load latest commit information.
deps Update nodeunit to fix tests Mar 6, 2011
lib Added optional domain parameter to allow control of subdomain scope Jan 10, 2012
test Added optional domain parameter to allow control of subdomain scope Jan 10, 2012
.gitmodules code so far Jul 28, 2010
LICENSE added LICENSE Oct 10, 2010
index.js added index.js Jul 28, 2010
package.json Minor change in package.json to comply to new npm policies Nov 15, 2011


Secure cookie-based session middleware for Connect. This is a new module and I wouldn't recommend for production use just yet.

Session data is stored on the request object in the 'session' property:

var connect = require('connect'),
    sessions = require('cookie-sessions');

    sessions({secret: '123abc'}),
    function(req, res, next){
        req.session = {'hello':'world'};
        res.writeHead(200, {'Content-Type':'text/plain'});
        res.end('session data updated');

The session data is JSON.stringified, encrypted and timestamped, then a HMAC signature is attached to test for tampering. The main function accepts a number of options:

* secret -- The secret to encrypt the session data with
* timeout -- The amount of time in miliseconds before the cookie expires
  (default: 24 hours)
* session_key -- The cookie key name to store the session data in
  (default: _node)
* path -- The path to use for the cookie (default: '/')
* domain -- (optional) Define a specific domain/subdomain scope for the cookie

Why store session data in cookies?

  • Its fast, you don't need to hit the filesystem or a database to look up session data
  • It scales easily. You don't need to worry about sticky-sessions when load-balancing across multiple nodes.
  • No server-side persistence requirements


  • You can only store 4k of data in a cookie
  • Higher-bandwidth requirements, since the cookie is sent to the server with every request.

In summary: don't use cookie storage if you keep a lot of data in your sessions!