{"id":17303,"library":"node-cookie","title":"Node.js HTTP Cookie Management","description":"node-cookie is a utility library for Node.js environments, designed to simplify the parsing, signing, encryption, creation, and clearing of HTTP cookies. It directly interfaces with Node.js's built-in `http.IncomingMessage` and `http.ServerResponse` objects, making it agnostic to higher-level web frameworks. The current stable version is 2.1.2, which was last published over six years ago. Despite some recent activity on its GitHub repository (commits in 2022-2023), the package itself has not seen new releases, suggesting it is in an abandoned or very low-maintenance state. Its key differentiator is providing low-level, built-in cookie signing and encryption capabilities without requiring a full framework or complex middleware, directly leveraging Node.js crypto primitives.","status":"abandoned","version":"2.1.2","language":"javascript","source_language":"en","source_url":"https://github.com/poppinss/node-cookie","tags":["javascript","cookies","cookie-parser","signed-cookies"],"install":[{"cmd":"npm install node-cookie","lang":"bash","label":"npm"},{"cmd":"yarn add node-cookie","lang":"bash","label":"yarn"},{"cmd":"pnpm add node-cookie","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is primarily CommonJS-first. For ESM, a default import is likely needed, or direct property access after a default import. Named exports are not explicitly defined.","wrong":"const { nodeCookie } = require('node-cookie')","symbol":"nodeCookie","correct":"import nodeCookie from 'node-cookie'"},{"note":"`create` is a method of the default exported `nodeCookie` object, not a named export itself. Direct destructuring `import { create }` will not work with CommonJS `module.exports`.","wrong":"import { create } from 'node-cookie'","symbol":"create","correct":"import nodeCookie from 'node-cookie'; nodeCookie.create(res, 'key', 'value')"},{"note":"`parse` is a method of the default exported `nodeCookie` object. The package uses CommonJS `require` in its examples, indicating CJS as its primary module system.","wrong":"import { parse } from 'node-cookie'","symbol":"parse","correct":"const nodeCookie = require('node-cookie'); const cookies = nodeCookie.parse(req)"},{"note":"Similar to `create` and `parse`, `get` is accessed via the default `nodeCookie` object. Direct destructuring for `require` or `import` is not supported for these methods.","wrong":"const { get } = require('node-cookie')","symbol":"get","correct":"const nodeCookie = require('node-cookie'); const value = nodeCookie.get(req, 'key')"}],"quickstart":{"code":"const http = require('http');\nconst nodeCookie = require('node-cookie');\n\nconst SECRET = process.env.COOKIE_SECRET ?? 'supersecretkeyfornodejsapp';\n\nhttp.createServer(function (req, res) {\n  if (req.url === '/set-cookie') {\n    // Create a signed and encrypted cookie\n    nodeCookie.create(res, 'userSession', 'user123', { expires: new Date(Date.now() + 60 * 60 * 1000) }, SECRET, true);\n    nodeCookie.create(res, 'lastVisit', new Date().toISOString(), SECRET, false);\n    res.writeHead(200, { 'Content-Type': 'text/plain' });\n    res.end('Cookies set!');\n  } else if (req.url === '/get-cookie') {\n    // Parse and retrieve cookies\n    const parsedCookies = nodeCookie.parse(req, SECRET, true);\n    const userSession = nodeCookie.get(req, 'userSession', SECRET, true);\n    const lastVisit = nodeCookie.get(req, 'lastVisit', SECRET, false);\n\n    res.writeHead(200, { 'Content-Type': 'application/json' });\n    res.end(JSON.stringify({\n      parsedCookies,\n      userSession: userSession || 'Not found or invalid',\n      lastVisit: lastVisit || 'Not found or invalid'\n    }));\n  } else {\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h1>Visit /set-cookie to set, or /get-cookie to retrieve.</h1>');\n  }\n}).listen(3000, () => {\n  console.log('Server running on http://localhost:3000');\n  console.log('Try http://localhost:3000/set-cookie then http://localhost:3000/get-cookie');\n});","lang":"javascript","description":"This quickstart demonstrates setting and retrieving signed and encrypted HTTP cookies using `node-cookie` with a basic Node.js HTTP server. It shows `create` for writing cookies with options for expiration, signing, and encryption, and `parse` and `get` for reading them, also handling decryption and unsigning."},"warnings":[{"fix":"For ESM projects, use `import nodeCookie from 'node-cookie';` and then access methods like `nodeCookie.create()`. For CommonJS, stick to `const nodeCookie = require('node-cookie');`.","message":"The package is explicitly CommonJS and uses `require`. Attempting to `import` it in a pure ESM context might lead to issues or require specific Node.js interoperability configurations (e.g., `createRequire`). Node.js ESM loader will treat `require('node-cookie')` as a default export, but explicit named imports are not supported.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Generate a strong, random secret (e.g., 32 characters or more) and load it from environment variables at runtime (`process.env.COOKIE_SECRET`). Never commit secrets to version control.","message":"Using a weak or hardcoded secret for signing and encryption (e.g., directly in source code) makes cookies vulnerable to tampering and decryption. The secret must be sufficiently long and complex, and should be managed securely (e.g., via environment variables).","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure `secure: true` is only used when the server is accessible via HTTPS. Double-check `domain` (should match the host or be a valid parent domain) and `path` (defaults to `/`) options to ensure they align with the client-side context. Test with browser developer tools to inspect `Set-Cookie` headers.","message":"Cookies might not be set in the browser if `secure: true` is used when serving over HTTP, or if `domain` or `path` options are misconfigured. Browsers strictly enforce these attributes.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Consider migrating to actively maintained cookie parsing and signing libraries like `cookies` or `tough-cookie` for robust, up-to-date solutions, especially in production environments.","message":"This package has not been updated in over six years (last published version 2.1.2). It may not receive security updates or be compatible with future Node.js versions or evolving web standards (e.g., `SameSite=None; Secure;` requirements).","severity":"deprecated","affected_versions":">=2.1.2"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure a non-empty string secret is passed as the fourth argument to `create` or `parse`/`get` methods, or as part of the options object.","cause":"The `secret` parameter for signing or encrypting cookies was not provided or was of an incorrect type (e.g., `null`, `undefined`, or a number).","error":"TypeError: The 'secret' argument must be a string or a Buffer"},{"fix":"Verify that the *exact same secret* is used for both encrypting (during `create`) and decrypting (during `parse` or `get`) a cookie. Ensure the secret meets the length requirements of the underlying cryptographic algorithm (e.g., 16, 24, or 32 characters for AES-128, AES-192, AES-256 respectively, or derived consistently).","cause":"This cryptographic error often occurs when the secret key used for encryption/decryption is inconsistent or of an incorrect length, or if the cookie value itself has been tampered with or corrupted.","error":"Error: Invalid IV length"},{"fix":"Check the `Set-Cookie` header in the server response for errors. Ensure `secure: true` is only for HTTPS. Verify `domain` and `path` match the request URL. If `httpOnly: true` is set, the cookie won't be accessible by client-side JavaScript, but should still be sent by the browser. Explicitly set `expires` or `maxAge` to ensure persistence.","cause":"The `Set-Cookie` header was not properly sent by the server, or the browser rejected the cookie due to incorrect attributes (e.g., `Domain`, `Path`, `Secure`, `HttpOnly`, `Expires`, `SameSite`).","error":"Cookie 'mycookie' is not visible in browser developer tools / `req.headers.cookie` does not contain 'mycookie'"}],"ecosystem":"npm","meta_description":null}