Why setting object as cookie value get modified

[JSteunou]

I see my cookie value with a {j: original} wrapped around my original value. Why is that? Is this from some RFC?

[dougwilson]

Hi! It's not part of any standard, as the RFC for cookies says the value can only be a string. Ideally if we followed the standard, we would reject your cookie if it wasn't a string. As a convenience, Express.js allows you to set non-strings as the values, and we'll JSON.stringify the value, pre-pending a j: so we know the value should be JSON.parsed when we read it again for you.

If you do not want this behavior, simply provide a string as the cookie's value and we won't touch it.

[JSteunou]

That's what I though but I needed confirmation. Thank you @dougwilson

[dougwilson]

No problem!

[neverendingqs]

Hi @dougwilson,

(Disclaimer: I don't know the difference between an unsigned cookie and a signed cookie).

I noticed signed tokens get a s: appended prepended:

express/lib/response.js

Line 793 in 3c54220

val = 's:' + sign(val, secret);

I'm interested in your thoughts on this as at this point in the code, the cookie value is already a string, so the RFC reason for j: can't be applied here.

Thanks.

[dougwilson]

Hi @neverendingqs , please try and open new issues, rather than resurrecting old, closed issues :) disclaimer: the decision to prepend (not append) the s: was before I worked on Express, so my only good answer is "that's just how it is", but I know that's not a great answer, but I don't have the insight to the decisions before I was involved.