Express Cookies

Using Express Cookies

Express Cookies

by John Vincent

Posted on July 5, 2017

Handling Cookies for an Express App

Straightforward stuff, so let us begin.

NPM Cookie-parser

npm cookie-parser


Define the name of the application cookie.


exports.COOKIE_NAME = 'my-app-cookie-name';


I consider this to be middleware. Thus


const cookieParser = require('cookie-parser');



List Cookies


const listCookies = (req, res, next) => {
    console.log('Cookies: ', req.cookies);  // Cookies that have not been signed
    console.log('Signed Cookies: ', req.signedCookies); // Cookies that have been signed

List the Request


const logRequest = (req, res, next) => {
    const logObj = {
        time: (new Date()).toTimeString(),
        method: req.method,
        hostname: req.hostname,
        path: req.path,
        "content type": req.get('Content-Type'),
        query: JSON.stringify(req.query),
        body: JSON.stringify(req.body)
    Object.keys(logObj).forEach(key => console.log(`request ${key}: ${logObj[key]}`));



app.all('/', logRequest);
app.all('/', listCookies);


  • parses request cookies,
  • populating req.cookies
  • when the secret is passed, populates req.signedCookies
    • secret is used for signing the cookies.

For a signed cookie

app.use(cookieParser('my secret here'));

Create a Cookie

General rule for setting cookie maxage

maxage = number of days * 24 hours * 60 minutes * 60 seconds * 1000 milliseconds

The application can create a cookie upon successful login.

if (remember) {
    const cookie_options = {
        maxAge: 1000 * 60 * 15,      // would expire after 15 minutes
        httpOnly: false,             // The cookie only accessible by the web server
        signed: false                // Indicates if the cookie should be signed
    res.cookie(COOKIE_NAME, email, cookie_options);

When the response is sent, the cookie will be sent with the response.

For example, here the cookie is sent with a token.

const filtered_user = { 
    username: user.username

const token = jwt.sign(filtered_user, AUTHENTICATION_KEY, {
    expiresIn: 60 * 60
return res.status(200).json({ token });

Another use case

app.get('/', (req, res) => {
    let cookie = req.cookies[cookieName];
    if (req.cookies[cookieName] === undefined) {
        res.cookie(cookieName, 'my-value', cookie_options);
        console.log('cookie created successfully');
    else {
        console.log('Cookie found, value is', cookie);
    res.sendFile(__dirname + '/views/index.html');

Delete a Cookie

  • res.clearCookie(COOKIE_NAME);

During development, I like to use an endpoint to delete a cookie. For example:

app.get('/forget-cookie', (req, res) => {
    res.send('cookie cleared');

JavaScript Client

There are some packages that make this a little easier, but let's go native.

List Cookies

function listCookies() {
    var allcookies = document.cookie;
    var cookiearray  = allcookies.split(';');
    for (var i = 0; i < cookiearray.length; i++) {
        name = cookiearray[i].split('=')[0];
        value = cookiearray[i].split('=')[1];
        console.log("Key is : " + name + " and Value is : " + value);

Get Cookie value. This method requires a cookie name. The value is retrieved and decoded.

function getUsernameFromCookie(cookieName) {
    var allcookies = document.cookie;
    var cookiearray = allcookies.split(';');
    for (var i = 0; i < cookiearray.length; i++) {
        var name = cookiearray[i].split('=')[0];
        if (cookieName === name.trim()) {
            return decodeURIComponent(cookiearray[i].split('=')[1]);
    return '';

Use the Cookie

Using a real example. A login form should get the username from the cookie, if it exists.

$(function() {

    var cookie_email = getUsernameFromCookie('my-app-cookie');

When the page loads, get the value of the cookie 'my-app-cookie' and copy it to the email address field.

Signed Cookie

The signed property is true.


if (remember) {
    const cookie_options = {
        maxAge: 1000 * 60 * 15,
        httpOnly: false,
        signed: true
    res.cookie(COOKIE_NAME, email, cookie_options);

The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.

It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.

If it does not match, it will give an error.

To access a signed cookie