Cookies

HTTP is stateless.

  • Every request is independent of the previous ones
  • Cookies & sessions save state

Cookies are visible to users

Signed Cookies can obfuscate its contents but not encrypt

Don’t trust cookies

  • Use signed cookies to ensure they’re not tampered
  • cookies can be used for XSS attacks

Prefer session over cookies

  • Sessions use cookies but they are safer
  • Express knows how to handle sessions

Sessions

  1. // Set
  2. res.cookie(
  3.   SessionCookie.COOKIE_NAME, 
  4.   sessionId,
  5.   SessionCookie.makeOptions(
  6.     cookieDomain,
  7.     SessionCookie.DEFAULT_MAX_AGE
  8.   )
  9. )
  10. .redirect(nextUrl);
  12. // Get on request
  13. req.cookies.session_id
  • store state on client
  • npm module cookie-session
  • helps to handle storing info in the client
  • npm module express-session will store info in the express server (in memory) instead of the client. You can leverage NoSql to sync multi node instances.
  • Sessions are useful to save user preferences, auth info, tracking, etc.

Externalizing Credentials

Cookie secret makes cookies secure.

  • it’s a string that’s known to the server and used to encrypt secure cookies before they’re sent to the client.
  • it can be a random string eg. Password generator tool

Parse cookies

  • npm module cookie-parser is a middleware to handle cookies.
  • app.use(require('cookie-parser')(credentials.cookieSecret));

Set cookies

  1. res.cookie('monster', 'nom nom');
  2. res.cookie('signed_monster', 'nom nom', {signed: true});

domain

  • controls the domain and subdomains for the cookie
  • Cookie must be assigned to the same domain as its server. Otherwise it won’t do nothing.

path

  • controls the path this cookie applies to

maxAge

  • expiration time in milliseconds
  • this is simpler than expires

secure

  • if true will send cookie only over a secure HTTPS connection

httpOnly

  • states that this cookie can only be modified by the server
  • this prevents XSS attacks

signed

  • set to true to sign the cookie
  • tampered signed cookies will be rejected by the server and will reset the cookies value.

Retrieve cookies from client

  1. var monster = req.cookies.monster;
  2. var signedMonster = req.signedCookies.monster;
  1. res.clearCookie('monster');