or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

index.mdrequest-cookies.mdresponse-cookies.mdserialization.md
tile.json

response-cookies.mddocs/

Response Cookies

The ResponseCookies class provides a comprehensive API for managing cookies in HTTP responses. It implements a loose version of the experimental W3C Cookie Store API without Promises, making it suitable for Edge Runtime environments. The class handles Set-Cookie headers and supports all standard cookie attributes.

Capabilities

Constructor

Creates a ResponseCookies instance from response headers, automatically parsing any existing Set-Cookie headers.

/**
 * Creates a ResponseCookies instance from response headers
 * @param responseHeaders - Headers object from an HTTP response
 */
constructor(responseHeaders: Headers);

Usage Example:

import { ResponseCookies } from "@edge-runtime/cookies";

const response = new Response("Hello World");
const cookies = new ResponseCookies(response.headers);

// Or with existing Set-Cookie headers
const responseWithCookies = new Response("Hello", {
  headers: { "Set-Cookie": "session=abc123; HttpOnly; Secure" }
});
const existingCookies = new ResponseCookies(responseWithCookies.headers);

Get Cookie

Retrieves a specific cookie by name or options.

/**
 * Get a cookie by name or options (W3C CookieStore#get without Promise)
 * @param args - Cookie name as string or ResponseCookie options
 * @returns ResponseCookie object or undefined if not found
 */
get(...args: [key: string] | [options: ResponseCookie]): ResponseCookie | undefined;

Usage Examples:

// Get by name
const sessionCookie = cookies.get("session");
console.log(sessionCookie?.value); // "abc123"

// Get by options (matching by name)
const cookie = cookies.get({ name: "theme", value: "", path: "/" });
console.log(cookie?.httpOnly); // true or false

Get All Cookies

Retrieves all cookies or filters by name/options.

/**
 * Get all cookies or filter by name/options (W3C CookieStore#getAll without Promise)
 * @param args - Optional filter by name or ResponseCookie options
 * @returns Array of ResponseCookie objects
 */
getAll(...args: [key: string] | [options: ResponseCookie] | []): ResponseCookie[];

Usage Examples:

// Get all cookies
const allCookies = cookies.getAll();
console.log(allCookies.length); // Number of response cookies

// Filter by name
const sessionCookies = cookies.getAll("session");
console.log(sessionCookies); // Array of cookies named "session"

Has Cookie

Checks if a cookie exists by name.

/**
 * Check if a cookie exists by name
 * @param name - Cookie name to check
 * @returns Boolean indicating existence
 */
has(name: string): boolean;

Usage Example:

if (!cookies.has("csrf_token")) {
  cookies.set("csrf_token", generateCSRFToken());
}

Set Cookie

Sets a cookie with optional attributes. Supports the full range of cookie options.

/**
 * Set a cookie with attributes (W3C CookieStore#set without Promise)
 * @param args - Either key-value-options or full ResponseCookie object
 * @returns this for method chaining
 */
set(...args: [key: string, value: string, cookie?: Partial<ResponseCookie>] | [options: ResponseCookie]): this;

Usage Examples:

// Basic key-value
cookies.set("user", "john");

// With options
cookies.set("session", "abc123", {
  httpOnly: true,
  secure: true,
  maxAge: 86400, // 24 hours
  sameSite: "strict"
});

// Full ResponseCookie object
cookies.set({
  name: "preferences",
  value: JSON.stringify({ theme: "dark", lang: "en" }),
  path: "/",
  domain: ".example.com",
  expires: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
  secure: true,
  httpOnly: false,
  sameSite: "lax"
});

// Method chaining
cookies
  .set("user", "john")
  .set("role", "admin", { httpOnly: true });

Delete Cookie

Deletes a cookie by setting its value to empty and expires to past date.

/**
 * Delete a cookie (W3C CookieStore#delete without Promise)
 * @param args - Cookie name or options (without value/expires)
 * @returns this for method chaining
 */
delete(...args: [key: string] | [options: Omit<ResponseCookie, 'value' | 'expires'>]): this;

Usage Examples:

// Delete by name
cookies.delete("session");

// Delete with specific path/domain
cookies.delete({
  name: "user",
  path: "/admin",
  domain: ".example.com"
});

To String

Formats all cookies as a string suitable for debugging or logging.

/**
 * Format all cookies as a string for debugging
 * @returns Semicolon-separated cookie strings
 */
toString(): string;

Usage Example:

console.log(cookies.toString());
// "session=abc123; HttpOnly; Secure; user=john; Path=/"

Inspection Method

ResponseCookies provides a custom inspection method for debugging and logging purposes.

/**
 * Custom inspection method for debugging and logging
 * @returns Formatted string representation of response cookies
 */
[Symbol.for('edge-runtime.inspect.custom')](): string;

Usage Example:

const cookies = new ResponseCookies(response.headers);
cookies.set("session", "abc123", { httpOnly: true });
cookies.set("theme", "dark", { path: "/" });

console.log(cookies[Symbol.for('edge-runtime.inspect.custom')]());
// "ResponseCookies {"session":{"name":"session","value":"abc123","httpOnly":true},"theme":{"name":"theme","value":"dark","path":"/"}}"

// Also works with Node.js util.inspect
import { inspect } from 'util';
console.log(inspect(cookies));
// Uses the custom inspection method automatically

ResponseCookie Type

interface ResponseCookie extends CookieListItem {
  /** Cookie name */
  name: string;
  /** Cookie value */
  value: string;
  /** Expiration date as Date object or milliseconds */
  expires?: number | Date;
  /** Cookie domain */
  domain?: string;
  /** Cookie path */
  path?: string;
  /** Secure flag - cookie only sent over HTTPS */
  secure?: boolean;
  /** SameSite attribute */
  sameSite?: 'strict' | 'lax' | 'none';
  /** Partitioned attribute for CHIPS */
  partitioned?: boolean;
  /** HttpOnly flag - cookie not accessible via JavaScript */
  httpOnly?: boolean;
  /** Max age in seconds */
  maxAge?: number;
  /** Priority hint for cookie eviction */
  priority?: 'low' | 'medium' | 'high';
}

Cookie Attributes

Security Attributes

  • httpOnly: When true, prevents JavaScript access to the cookie
  • secure: When true, cookie is only sent over HTTPS connections
  • sameSite: Controls cross-site request behavior:
    • "strict": Never sent with cross-site requests
    • "lax": Sent with top-level navigation (default for most browsers)
    • "none": Always sent (requires secure: true)

Expiration Attributes

  • expires: Absolute expiration date as Date object or milliseconds
  • maxAge: Relative expiration in seconds from current time

Scope Attributes

  • domain: Cookie domain scope (defaults to current domain)
  • path: Cookie path scope (defaults to "/")

Modern Attributes

  • partitioned: Enables CHIPS (Cookies Having Independent Partitioned State)
  • priority: Hint for browser cookie eviction policies

Usage Example with All Attributes:

cookies.set("comprehensive_cookie", "value123", {
  expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
  domain: ".example.com",
  path: "/",
  secure: true,
  httpOnly: true,
  sameSite: "strict",
  partitioned: true,
  priority: "high"
});