A Node.js implementation of RFC6265 for cookie parsing, storage, and retrieval.
Install Tough Cookie using npm:
or yarn:
import { Cookie, CookieJar } from 'tough-cookie'
// parse a `Cookie` request header
const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1'
.split(';')
.map(Cookie.parse)
// generate a `Cookie` request header
const cookieHeader = reqCookies.map((cookie) => cookie.cookieString()).join(';')
// parse a Set-Cookie response header
const resCookie = Cookie.parse(
'foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT',
)
// generate a Set-Cookie response header
const setCookieHeader = cookie.toString()
// store and retrieve cookies
const cookieJar = new CookieJar() // uses the in-memory store by default
await cookieJar.setCookie(resCookie, 'https://example.com/')
const matchingCookies = await cookieJar.getCookies('https://example.com/')
Important
For more detailed usage information, refer to the API docs.
Support for RFC6265bis is being developed. As these revisions to RFC6252 are still in Active Internet-Draft state, the areas of support that follow are subject to change.
This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF attacks by disallowing SameSite cookies from being sent cross-origin.
import { CookieJar } from 'tough-cookie'
const cookieJar = new CookieJar() // uses the in-memory store by default
// storing cookies with various SameSite attributes
await cookieJar.setCookie(
'strict=authorized; SameSite=strict',
'http://example.com/index.html',
)
await cookieJar.setCookie(
'lax=okay; SameSite=lax',
'http://example.com/index.html',
)
await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html')
// retrieving cookies using a SameSite context
const laxCookies = await cookieJar.getCookies('http://example.com/index.html', {
// the first cookie (strict=authorized) will not be returned if the context is 'lax'
// but the other two cookies will be returned
sameSiteContext: 'lax',
})
Note
It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.
Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by inspecting the first few characters of the cookie's name.
Two prefixes are defined:
"__Secure-"
If a cookie's name begins with a case-sensitive match for the string __Secure-, then the cookie was set with a "Secure" attribute.
"__Host-"
If a cookie's name begins with a case-sensitive match for the string __Host-, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.
If prefixSecurity is enabled for CookieJar, then cookies that match the prefixes defined above but do not obey the attribute restrictions are not added.
You can define this functionality by passing in the prefixSecurity option to CookieJar. It can be one of 3 values:
silent: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.strict: Enable cookie prefix checking and error out if conditions are not met.unsafe-disabled: Disable cookie prefix checking.If
ignoreErroris passed in astruewhen setting a cookie then the error is silent regardless of theprefixSecurityoption (assuming it's enabled).
import { CookieJar, MemoryCookieStore } from 'tough-cookie'
const cookieJar = new CookieJar(new MemoryCookieStore(), {
prefixSecurity: 'silent',
})
// this cookie will be silently ignored since the url is insecure (http)
await cookieJar.setCookie(
'__Secure-SID=12345; Domain=example.com; Secure;',
'http://example.com',
)
// this cookie will be stored since the url is secure (https)
await cookieJar.setCookie(
'__Secure-SID=12345; Domain=example.com; Secure;',
'https://example.com',
) Potentially Trustworthy Origins are considered "Secure"
The definition of a "Secure" connection is not explicitly defined by RFC6265bis but the following text is provided in RFC6265bis - Section 5.8.3:
Note
Typically, user agents consider a connection secure if the connection makes use of transport-layer security, such as SSL or TLS, or if the host is trusted. For example, most user agents consider "https" to be a scheme that denotes a secure protocol and "localhost" to be trusted host.
As well as a note to Appendix A. Changes from RFC6265 which refers to "potentially trustworthy origins" which are defined in the Secure Contexts - W3C Candidate Recommendation Draft:
Note
Considers potentially trustworthy origins as "secure".
Since most web browsers treat localhost as a trustworthy origin, by default, so does tough-cookie. To disable this behavior, the CookieStore must be configured with:
import { CookieJar, MemoryCookieStore } from 'tough-cookie'
const cookieJar = new CookieJar(new MemoryCookieStore(), {
// add configuration so localhost will not be considered trustworthy
// (fyi - this doesn't apply to https cookies on localhost as those use a secure protocol)
allowSecureOnLocal: false,
})
// this cookie will be persisted to storage
await cookieJar.setCookie(
'SID=12345; Domain=localhost; Secure;',
'http://localhost',
)
// but, on retrieval, it will not be returned
await cookieJar.getCookiesSync('http://localhost')
We follow the Node.js release schedule and support all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support for older versions of node, and we will do so in consultation with our community.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4