{"id":17544,"library":"connect-cookies","title":"Connect/Express Cookie Middleware","description":"connect-cookies is an unmaintained Node.js middleware for the `connect` and `express` frameworks, designed to simplify reading and setting HTTP(S) cookies. It wraps the `cookies` and `keygrip` packages to provide cookie management capabilities, including support for signed cookies to prevent tampering. Despite its purpose, the package is stuck at version `0.0.0` and has not seen updates in nearly a decade. Its underlying dependencies (`cookies` and `keygrip`) are also quite old. Modern Node.js applications, especially those using recent versions of Express, should avoid this package due to its abandoned status, potential security vulnerabilities, and lack of support for contemporary cookie standards (e.g., `SameSite` attribute defaults and `__Host` prefixes). Current stable alternatives like `cookie-parser` for basic cookie handling and `express-session` or `cookie-session` for session management are recommended for active development.","status":"abandoned","version":"0.0.0","language":"javascript","source_language":"en","source_url":"git://github.com/segmentio/connect-cookies","tags":["javascript"],"install":[{"cmd":"npm install connect-cookies","lang":"bash","label":"npm"},{"cmd":"yarn add connect-cookies","lang":"bash","label":"yarn"},{"cmd":"pnpm add connect-cookies","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core library for cookie parsing and setting, used internally by connect-cookies.","package":"cookies","optional":false},{"reason":"Used by the 'cookies' package for cryptographic signing of cookie values to prevent tampering.","package":"keygrip","optional":true},{"reason":"Peer dependency, as this package is designed as middleware for the Connect framework (and by extension, Express).","package":"connect","optional":false}],"imports":[{"note":"This package is CommonJS-only due to its age and lack of maintenance. ESM imports are not supported.","wrong":"import cookies from 'connect-cookies';","symbol":"cookies","correct":"const cookies = require('connect-cookies');"},{"note":"The underlying 'connect' framework is also CommonJS-only in its typical usage with this middleware.","wrong":"import connect from 'connect';","symbol":"connect","correct":"const connect = require('connect');"}],"quickstart":{"code":"const connect = require('connect');\nconst cookies = require('connect-cookies');\n\nconst app = connect();\n\n// Pass an array of keys for secure cookies. In production, these should be strong and rotated.\n// process.env.COOKIE_KEYS should be a comma-separated string of keys.\nconst cookieKeys = process.env.COOKIE_KEYS ? process.env.COOKIE_KEYS.split(',') : ['your_secret_key_here', 'another_secret_key'];\n\napp.use(cookies(cookieKeys));\n\napp.use(function(req, res) {\n  // Access cookies via req.cookies, which is an instance of the 'cookies' module.\n  // .get() method retrieves a cookie.\n  let views = req.cookies.get('views') || 0;\n  views = parseInt(views, 10) + 1;\n\n  // .set() method sets a cookie. Include 'signed: true' for secure cookies.\n  // Ensure appropriate secure, httpOnly, and SameSite options for production.\n  req.cookies.set('views', views.toString(), { signed: true, httpOnly: true, secure: process.env.NODE_ENV === 'production' });\n\n  res.end(`${views} views`);\n});\n\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n  console.log(`Server listening on port ${PORT}`);\n  console.log('Visit http://localhost:3000/ to see the view counter.');\n});","lang":"javascript","description":"Demonstrates basic usage of `connect-cookies` middleware to implement a simple view counter, storing the count in a signed cookie. It showcases cookie retrieval and setting."},"warnings":[{"fix":"Migrate to `cookie-parser` for basic cookie handling and `express-session` or `cookie-session` for session management.","message":"This package is unmaintained and stuck at version 0.0.0. It will not receive any further updates, bug fixes, or security patches. Using it in production is strongly discouraged.","severity":"breaking","affected_versions":"0.0.0"},{"fix":"Replace with maintained alternatives like `cookie-parser` and `express-session` which provide secure defaults and are actively patched. Implement strong Content Security Policies (CSPs).","message":"The package and its dependencies are old, lacking modern security features for cookie handling (e.g., robust `SameSite` attribute defaults, `__Host` prefixes). This makes applications vulnerable to common attacks like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) if not carefully configured manually.","severity":"security","affected_versions":"0.0.0"},{"fix":"Avoid using this package in new projects. For existing projects, consider a full migration to modern middleware to ensure compatibility and stability.","message":"Designed for older `connect`/`express` versions (likely 2.x/3.x era). Compatibility with newer Node.js versions or Express 4.x/5.x is not guaranteed and may lead to unexpected behavior or breaking changes.","severity":"gotcha","affected_versions":"0.0.0"},{"fix":"If used in an ESM project, you would need to use `createRequire` or transpile your code, which adds unnecessary complexity. It's best to use modern, ESM-compatible alternatives.","message":"The package is CommonJS-only, meaning it cannot be directly imported using ESM `import` syntax. This can cause issues in modern Node.js environments that primarily use ESM.","severity":"gotcha","affected_versions":"0.0.0"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Ensure `app.use(cookies(keys))` is called before any route handlers attempt to access `req.cookies`. Verify that `connect-cookies` is the intended cookie middleware.","cause":"The `connect-cookies` middleware was not correctly applied or initialized, or another middleware overwrote `req.cookies`.","error":"TypeError: req.cookies.get is not a function"},{"fix":"Review middleware and route handler logic to ensure `res.end()` (or similar) is called only once. Ensure `next()` is called if the middleware is not terminating the request.","cause":"A common Express/Connect error indicating that `res.end()`, `res.send()`, or `res.json()` was called more than once, or headers were sent before attempting to set a cookie.","error":"Error: Can't set headers after they are sent."},{"fix":"Ensure that cookies intended to be signed are set with `req.cookies.set('cookieName', value, { signed: true })` and that the `cookies()` middleware is initialized with the correct `keys` array that was used for signing.","cause":"Attempting to retrieve a signed cookie using `req.cookies.get('cookieName', { signed: true })` when the cookie was not originally set with `signed: true` or with valid keys, or the keys provided to `connect-cookies` do not match the keys used to sign the cookie.","error":"Error: Not a signed cookie."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}