signed cookie functionality for node.js
Pull request Compare This branch is 13 commits behind jed:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
example
LICENSE.txt
README.markdown
base64.js
index.js
package.json

README.markdown

cookie-node.js

cookie-node is a cookie module for node.js, based loosely on Tornado's approach to signed cookies.

To start, require the library in your app:

var cookie = require( "./cookie-node" );

This extends the ServerRequest and ServerResponse objects, allowing you to get cookies on requests and set them on responses for server calls:

function( req, res ) {
  var name = req.getCookie( "name" ),
      length = name.length;

  res.setCookie( "name_length", length );

  res.writeHead(200, {"Content-Type": "text/html"});    
  res.write( "Your name has " + length + " characters." );  
  res.close();
}

You can also set a cookie secret to enable signed cookies, and prevent forged cookies:

cookie.secret = "myRandomSecretThatNoOneWillGuess";

so that the above becomes:

function( req, res ) {
  var name = req.getSecureCookie( "name" ),
      length = name.length;

  res.setSecureCookie( "name_length", length );

  res.writeHead(200, {"Content-Type": "text/html"});    
  res.write( "Your name has " + length + " characters." );  
  res.close();
}

(You don't need to set the secret, but your cookies will end up being invalidated when the server restarts, and you will be yelled at.)

When you set a secure cookie, the value is stored alongside its expiration date, as well as an HMAC SHA-1 digest of the two values with your secret. If a cookie's signature does not match that calculated on the server, the getSecureCookie method throws.

If you'd like to clear a cookie, just use res.clearCookie( name ).

That's about it. Send any questions or comments here.