tessl/npm-cookie
HTTP server cookie parsing and serialization
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Pending
The risk profile of this skill
index.mddocs/
Cookie
Cookie provides HTTP server cookie parsing and serialization that is RFC 6265 compliant. It offers a simple API for parsing Cookie headers into JavaScript objects and serializing cookie name-value pairs into Set-Cookie header strings with comprehensive attribute support.
Package Information
- Package Name: cookie
- Package Type: npm
- Language: TypeScript
- Installation:
npm install cookie
Core Imports
import { parse, serialize } from "cookie";
import type { ParseOptions, SerializeOptions } from "cookie";For CommonJS:
const { parse, serialize } = require("cookie");Basic Usage
import { parse, serialize } from "cookie";
// Parse Cookie header
const cookies = parse("foo=bar; equation=E%3Dmc%5E2");
console.log(cookies); // { foo: 'bar', equation: 'E=mc^2' }
// Serialize cookie for Set-Cookie header
const setCookie = serialize("sessionId", "abc123", {
httpOnly: true,
secure: true,
maxAge: 3600
});
console.log(setCookie); // "sessionId=abc123; Max-Age=3600; HttpOnly; Secure"Capabilities
Cookie Parsing
Parses a HTTP Cookie header string into an object containing all cookie name-value pairs.
/**
* Parse a cookie header string into an object of name-value pairs
* @param str - Cookie header string to parse
* @param options - Optional parsing configuration
* @returns Object with cookie names as keys and values as strings
*/
function parse(
str: string,
options?: ParseOptions
): Record<string, string | undefined>;
interface ParseOptions {
/**
* Function to decode cookie values. Defaults to decodeURIComponent with error handling.
* If decoding fails, returns the original value.
*/
decode?: (str: string) => string | undefined;
}Usage Examples:
import { parse } from "cookie";
// Basic parsing
const cookies = parse("name=value; theme=dark");
// Result: { name: 'value', theme: 'dark' }
// Custom decode function with type safety
import type { ParseOptions } from "cookie";
const parseOptions: ParseOptions = {
decode: (value) => {
try {
return JSON.parse(decodeURIComponent(value));
} catch {
return value;
}
}
};
const cookiesWithCustomDecode = parse("data=%7B%22user%22%3A%22alice%22%7D", parseOptions);
// Handles malformed cookies gracefully
const messyCookies = parse("valid=ok; malformed; another=value");
// Result: { valid: 'ok', another: 'value' }Cookie Serialization
Serializes a cookie name-value pair into a Set-Cookie header string with optional attributes.
/**
* Serialize a cookie name-value pair into a Set-Cookie header string
* @param name - Cookie name (must be valid according to RFC 6265)
* @param val - Cookie value (will be encoded)
* @param options - Optional serialization attributes
* @returns Set-Cookie header string
* @throws TypeError if name or encoded value is invalid
*/
function serialize(
name: string,
val: string,
options?: SerializeOptions
): string;
interface SerializeOptions {
/**
* Function to encode cookie values. Defaults to encodeURIComponent.
*/
encode?: (str: string) => string;
/**
* Max-Age attribute in seconds. Takes precedence over expires if both are set.
*/
maxAge?: number;
/**
* Expires attribute as Date object. Creates session cookie if omitted.
*/
expires?: Date;
/**
* Domain attribute. Cookie applies to current domain only if omitted.
*/
domain?: string;
/**
* Path attribute. Uses default path if omitted.
*/
path?: string;
/**
* HttpOnly flag. Prevents client-side JavaScript access when true.
*/
httpOnly?: boolean;
/**
* Secure flag. Only sent over HTTPS when true.
*/
secure?: boolean;
/**
* Partitioned flag. Experimental attribute for CHIPS support.
*/
partitioned?: boolean;
/**
* Priority attribute for cookie eviction priority.
*/
priority?: "low" | "medium" | "high";
/**
* SameSite attribute for CSRF protection.
* - true or "strict": Strict same-site enforcement
* - "lax": Lax same-site enforcement (default behavior)
* - "none": Explicit cross-site cookie (requires Secure)
*/
sameSite?: boolean | "lax" | "strict" | "none";
}Usage Examples:
import { serialize } from "cookie";
// Basic serialization
const basic = serialize("sessionId", "abc123");
// Result: "sessionId=abc123"
// Session cookie with security attributes using typed options
import type { SerializeOptions } from "cookie";
const sessionOptions: SerializeOptions = {
httpOnly: true,
secure: true,
sameSite: "strict"
};
const sessionCookie = serialize("session", "user123", sessionOptions);
// Result: "session=user123; HttpOnly; Secure; SameSite=Strict"
// Persistent cookie with expiration
const persistent = serialize("preferences", "theme=dark", {
expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
domain: "example.com",
path: "/",
maxAge: 604800 // 7 days in seconds
});
// Cross-site cookie configuration
const crossSite = serialize("tracking", "analytics123", {
sameSite: "none",
secure: true, // Required for SameSite=None
partitioned: true // CHIPS support
});
// Custom encoding
const customEncoded = serialize("data", '{"user":"alice"}', {
encode: (value) => Buffer.from(value).toString('base64')
});Error Handling
The serialize function throws TypeError for invalid inputs:
- Invalid cookie names (must match RFC 6265 token specification)
- Invalid encoded cookie values (must match RFC 6265 cookie-value specification)
- Invalid maxAge values (must be integers)
- Invalid expires values (must be valid Date objects)
- Invalid domain values (must match RFC 1034/1123 subdomain format, allows leading dot)
- Invalid path values (must contain only valid CHAR excluding CTLs and semicolons)
- Invalid priority values (must be "low", "medium", or "high")
- Invalid sameSite values (must be boolean, "lax", "strict", or "none")
// These will throw TypeError
serialize("invalid name", "value"); // Invalid name with space
serialize("name", "value", { maxAge: 3.14 }); // Non-integer maxAge
serialize("name", "value", { priority: "urgent" }); // Invalid priority
serialize("name", "value", { domain: "invalid..domain" }); // Invalid domain format
serialize("name", "value", { path: "/path;with;semicolons" }); // Invalid path characters