1 | # cookie-session
|
2 |
|
3 | [![NPM Version][npm-image]][npm-url]
|
4 | [![NPM Downloads][downloads-image]][downloads-url]
|
5 | [![Build Status][travis-image]][travis-url]
|
6 | [![Test Coverage][coveralls-image]][coveralls-url]
|
7 |
|
8 | Simple cookie-based session middleware.
|
9 |
|
10 | A user session can be stored in two main ways with cookies: on the server or on
|
11 | the client. This module stores the session data on the client within a cookie,
|
12 | while a module like [express-session](https://www.npmjs.com/package/express-session)
|
13 | stores only a session identifier on the client within a cookie and stores the
|
14 | session data on the server, typically in a database.
|
15 |
|
16 | The following points can help you choose which to use:
|
17 |
|
18 | * `cookie-session` does not require any database / resources on the server side,
|
19 | though the total session data cannot exceed the browser's max cookie size.
|
20 | * `cookie-session` can simplify certain load-balanced scenarios.
|
21 | * `cookie-session` can be used to store a "light" session and include an identifier
|
22 | to look up a database-backed secondary store to reduce database lookups.
|
23 |
|
24 | ## Semantics
|
25 |
|
26 | This module provides "guest" sessions, meaning any visitor will have a session,
|
27 | authenticated or not. If a session is _new_ a `Set-Cookie` will be produced regardless
|
28 | of populating the session.
|
29 |
|
30 | ## Install
|
31 |
|
32 | ```bash
|
33 | $ npm install cookie-session
|
34 | ```
|
35 |
|
36 | ## API
|
37 |
|
38 | ```js
|
39 | var cookieSession = require('cookie-session')
|
40 | ```
|
41 |
|
42 | ### cookieSession(options)
|
43 |
|
44 | Create a new cookie session middleware with the provided options.
|
45 |
|
46 | #### Options
|
47 |
|
48 | Cookie session accepts these properties in the options object.
|
49 |
|
50 | ##### name
|
51 |
|
52 | The name of the cookie to set, defaults to `express:sess`.
|
53 |
|
54 | ##### keys
|
55 |
|
56 | The list of keys to use to sign & verify cookie values. Set cookies are always
|
57 | signed with `keys[0]`, while the other keys are valid for verification, allowing
|
58 | for key rotation.
|
59 |
|
60 | ##### secret
|
61 |
|
62 | A string which will be used as single key if `keys` is not provided.
|
63 |
|
64 | ##### Cookie Options
|
65 |
|
66 | Other options are passed to `cookies.get()` and `cookies.set()` allowing you
|
67 | to control security, domain, path, and signing among other settings.
|
68 |
|
69 | The options can also contain any of the following (for the full list, see
|
70 | [cookies module documentation](https://www.npmjs.org/package/cookies#readme):
|
71 |
|
72 | - `maxAge`: a number representing the milliseconds from `Date.now()` for expiry
|
73 | - `expires`: a `Date` object indicating the cookie's expiration date (expires at the end of session by default).
|
74 | - `path`: a string indicating the path of the cookie (`/` by default).
|
75 | - `domain`: a string indicating the domain of the cookie (no default).
|
76 | - `secure`: a boolean indicating whether the cookie is only to be sent over HTTPS (`false` by default for HTTP, `true` by default for HTTPS).
|
77 | - `secureProxy`: a boolean indicating whether the cookie is only to be sent over HTTPS (use this if you handle SSL not in your node process).
|
78 | - `httpOnly`: a boolean indicating whether the cookie is only to be sent over HTTP(S), and not made available to client JavaScript (`true` by default).
|
79 | - `signed`: a boolean indicating whether the cookie is to be signed (`true` by default).
|
80 | - `overwrite`: a boolean indicating whether to overwrite previously set cookies of the same name (`true` by default).
|
81 |
|
82 | ### req.session
|
83 |
|
84 | Represents the session for the given request.
|
85 |
|
86 | #### .isNew
|
87 |
|
88 | Is `true` if the session is new.
|
89 |
|
90 | #### .populated
|
91 |
|
92 | Determine if the session has been populated with data or is empty.
|
93 |
|
94 | ### req.sessionOptions
|
95 |
|
96 | Represents the session options for the current request. These options are a
|
97 | shallow clone of what was provided at middleware construction and can be
|
98 | altered to change cookie setting behavior on a per-request basis.
|
99 |
|
100 | ### Destroying a session
|
101 |
|
102 | To destroy a session simply set it to `null`:
|
103 |
|
104 | ```js
|
105 | req.session = null
|
106 | ```
|
107 |
|
108 | ## Example
|
109 |
|
110 | ### Simple view counter example
|
111 |
|
112 | ```js
|
113 | var cookieSession = require('cookie-session')
|
114 | var express = require('express')
|
115 |
|
116 | var app = express()
|
117 |
|
118 | app.set('trust proxy', 1) // trust first proxy
|
119 |
|
120 | app.use(cookieSession({
|
121 | name: 'session',
|
122 | keys: ['key1', 'key2']
|
123 | }))
|
124 |
|
125 | app.use(function (req, res, next) {
|
126 | // Update views
|
127 | req.session.views = (req.session.views || 0) + 1
|
128 |
|
129 | // Write response
|
130 | res.end(req.session.views + ' views')
|
131 | })
|
132 |
|
133 | app.listen(3000)
|
134 | ```
|
135 |
|
136 | ## Per-user sticky max age
|
137 |
|
138 | ```js
|
139 | var cookieSession = require('cookie-session')
|
140 | var express = require('express')
|
141 |
|
142 | var app = express()
|
143 |
|
144 | app.set('trust proxy', 1) // trust first proxy
|
145 |
|
146 | app.use(cookieSession({
|
147 | name: 'session',
|
148 | keys: ['key1', 'key2']
|
149 | }))
|
150 |
|
151 | // This allows you to set req.session.maxAge to let certain sessions
|
152 | // have a different value than the default.
|
153 | app.use(function (req, res, next) {
|
154 | req.sessionOptions.maxAge = req.session.maxAge || req.sessionOptions.maxAge
|
155 | })
|
156 |
|
157 | // ... your logic here ...
|
158 | ```
|
159 |
|
160 | ## License
|
161 |
|
162 | [MIT](LICENSE)
|
163 |
|
164 | [npm-image]: https://img.shields.io/npm/v/cookie-session.svg
|
165 | [npm-url]: https://npmjs.org/package/cookie-session
|
166 | [travis-image]: https://img.shields.io/travis/expressjs/cookie-session/master.svg
|
167 | [travis-url]: https://travis-ci.org/expressjs/cookie-session
|
168 | [coveralls-image]: https://img.shields.io/coveralls/expressjs/cookie-session.svg
|
169 | [coveralls-url]: https://coveralls.io/r/expressjs/cookie-session?branch=master
|
170 | [downloads-image]: https://img.shields.io/npm/dm/cookie-session.svg
|
171 | [downloads-url]: https://npmjs.org/package/cookie-session
|