cookie-httponly v1.0.3
Cookie HttpOnly
Restricting access to cookies is essential for security in many web apps. For example, the session ID, the secret token used to identify a particular session, is typically stored in a cookie.
Cookies HttpOnly is a Node.js® module for getting and setting HTTP(S) cookies with the HttpOnly flag set and strict security policy. This module implemented by following the RFC 6265 Standard.
Getting Started
Installation
To use Cookie HttpOnly in your project, run:
npm i cookie-httponlyConfigure Nginx
Setting location up Nginx as proxy for Nodejs application:
location @nodejs {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header IP $remote_addr;
}API docs
Table of Contents
- constructor: new Cookie(request, response)
- cookie.has(name)
- cookie.get(name)
- cookie.set(name, value[, options])
- cookie.request
- cookie.response
- cookie.entries
- cookie.domain
- cookie.secure
class: Cookie
This class implemented by following the ECMAScript® 2018 Language Specification Standard. To use this module:
const Cookie = require('cookie-httponly');constructor: new Cookie(request, response)
request[http.IncomingMessage](https://nodejs.org/api/http.html#http_class_http_incomingmessage)response[http.ServerResponse](https://nodejs.org/api/http.html#http_class_http_serverresponse).
const http = require('http');
const Cookie = require('cookie-httponly');
http.createServer((req, res) => {
const cookie = new Cookie(req, res);
res.end();
})
.listen(8080);When the class instance is initialized successfully, the HTTP headers are read and parsed. The resulting values are available from the cookie.entries field.
The connection must be established from the domain name (i.e., not an IP address)
cookie.has(name)
name[String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String)- returns: [Boolean](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Boolean) A
trueif an element with the specified key exists in thecookie.entries; otherwisefalse.
The method returns a Boolean value indicating whether or not an element with the specified key name exists from the cookie.entries field.
cookie.get(name)
name[String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String)- returns: <String | undefined> A
stringif an element with the specified key exists in thecookie.entries; otherwiseundefined.
The method returns the value of the specified name from the cookie.entries field.
cookie.set(name, value, options)
name[String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String) Invalid characters will be deleted or escaped.value[String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String) Invalid characters will be deleted or escaped.options[Object](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object)domain[String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String) Thedomainoption specifies those hosts to which the cookie will be sent. For example, if the value of thedomainoption is'example.com', the user agent will include the cookie in the Cookie header when making HTTP(S) requests to'example.com','www.example.com', and'www.corp.example.com'.NOTE That a leading
'.', if present, is ignored even though that character is not permitted, but a trailing'.', if present, will cause the user agent to ignore the attribute.If the server omits the
domainoptions, the user agent will return the cookie only to the origin server.Domainmatching the string is a host name (i.e., not an IP address). Default:cookie.domain.path[String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String) Cookie path, use'/'as the path if you want your cookie to be accessible on all pages. Default:'/'.expires[Date](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date) The Expires attribute indicates the date and time at which the cookie expires. Default:current session.
NOTE Typical session identifier might reasonably be set to expire in two weeks.
Installing HTTP(S) headers. Note that setting headers does not mean the appearance of values in the cookie.entries field. With the https secure connection, the method will automatically add the security flag to the headers.
An example of setting the headers to record cookies for 1 year.
const http = require('http');
const Cookie = require('cookie-httponly');
http.createServer((req, res) => {
const cookie = new Cookie(req, res);
let forYear = new Date();
cookie.set('user', '84b7e44aa54d002eac8d00f5bfa9cc93410f2a48', {
expires: forYear.setUTCFullYear(forYear.getUTCFullYear() + 1)
});
res.end();
})
.listen(8080);To send headers for remove of cookies by name, simply set the header with the begin date and time.
const http = require('http');
const Cookie = require('cookie-httponly');
http.createServer((req, res) => {
const cookie = new Cookie(req, res);
cookie.set('user', '', {
expires: new Date(0) // Thu, 01 Jan 1970 00:00:00 GMT
});
res.end();
})
.listen(8080);cookie.request
cookie.response
cookie.entries
- [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) The values of the incoming cookie.
cookie.domain
- [String](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String) The value is set when creating an instance of the class from the
request.headersfield of the current connection. The connection must be established from the domain name (i.e., not an IP address).
cookie.secure
- [Boolean](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Boolean)
trueif the current session has a secure connection; otherwisefalse.
You can override the properties cookie.domain and cookie.secure.