Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
signed cookie functionality for node.js
Pull request Compare This branch is 13 commits behind jed:master.

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
example
LICENSE.txt
README.markdown
base64.js
index.js
package.json

README.markdown

cookie-node.js

cookie-node is a cookie module for node.js, based loosely on Tornado's approach to signed cookies.

To start, require the library in your app:

var cookie = require( "./cookie-node" );

This extends the ServerRequest and ServerResponse objects, allowing you to get cookies on requests and set them on responses for server calls:

function( req, res ) {
  var name = req.getCookie( "name" ),
      length = name.length;

  res.setCookie( "name_length", length );

  res.writeHead(200, {"Content-Type": "text/html"});    
  res.write( "Your name has " + length + " characters." );  
  res.close();
}

You can also set a cookie secret to enable signed cookies, and prevent forged cookies:

cookie.secret = "myRandomSecretThatNoOneWillGuess";

so that the above becomes:

function( req, res ) {
  var name = req.getSecureCookie( "name" ),
      length = name.length;

  res.setSecureCookie( "name_length", length );

  res.writeHead(200, {"Content-Type": "text/html"});    
  res.write( "Your name has " + length + " characters." );  
  res.close();
}

(You don't need to set the secret, but your cookies will end up being invalidated when the server restarts, and you will be yelled at.)

When you set a secure cookie, the value is stored alongside its expiration date, as well as an HMAC SHA-1 digest of the two values with your secret. If a cookie's signature does not match that calculated on the server, the getSecureCookie method throws.

If you'd like to clear a cookie, just use res.clearCookie( name ).

That's about it. Send any questions or comments here.

Something went wrong with that request. Please try again.