expressjs/express
Cookies and sessions
Active contributors: dougwilson, wesleytodd, ulisesgascon
Express ships cookie writing helpers but does not parse cookies on its own. Sessions are entirely external — Express simply integrates with packages like cookie-session and express-session.
What's in core
| Helper | Where | Notes |
|---|---|---|
res.cookie(name, value, [opts]) |
lib/response.js |
Serialises with the cookie package; supports signed cookies via cookie-signature. |
res.clearCookie(name, [opts]) |
lib/response.js |
Sets expires to new Date(1), strips maxAge. Express 5 ignores user-provided expires/maxAge. |
req.signedCookies (set by cookie-parser) |
external | Read-only accessor; populated by the cookie-parser middleware. |
There is no req.cookies accessor in Express itself — to read cookies, mount cookie-parser middleware. Most apps do.
Setting a cookie
res.cookie('rememberme', '1', {
maxAge: 900000, // 15 minutes (ms); converted to expires
httpOnly: true,
secure: true,
sameSite: 'lax',
});res.cookie flow:
graph TD
Call[res.cookie name, value, opts] --> Stringify{typeof value}
Stringify -- object --> JStr["val = j: + JSON.stringify"]
Stringify -- other --> AsStr[val = String value]
JStr --> Sign{opts.signed?}
AsStr --> Sign
Sign -- yes --> CheckSecret{req.secret?}
CheckSecret -- no --> Throw[throw cookieParser secret required]
CheckSecret -- yes --> SignVal["val = s: + sign val, secret"]
SignVal --> MaxAge
Sign -- no --> MaxAge{opts.maxAge?}
MaxAge -- yes --> Convert[expires = now + maxAge,<br/>maxAge = floor maxAge / 1000]
MaxAge -- no --> Path
Convert --> Path{opts.path?}
Path -- no --> SetSlash["path = /"]
Path -- yes --> Append
SetSlash --> Append[res.append Set-Cookie, cookie.serialize ...]A few things worth knowing:
- Signed cookies need
req.secret. That's set bycookie-parser('secret'). Without it,res.cookie('x', 'y', { signed: true })throws. - Object values get the
j:prefix. That's the conventioncookie-parserrecognises when reading. maxAgeis in milliseconds; Express writes bothexpires(an absolute Date) andMax-Age(in seconds). Thecookiepackage handles formatting.pathdefaults to/if not specified.
Clearing a cookie
res.clearCookie('rememberme', { path: '/' });clearCookie is implemented as res.cookie(name, '', { ...options, expires: new Date(1) }), with maxAge deleted from the options object. The Express 5 change here was to strip user-provided maxAge/expires so a stale config can't accidentally extend a "cleared" cookie's life.
Sessions
Express does not include a session store. Two packages from the expressjs/ org are commonly paired:
cookie-session— stores session data in a signed cookie (no server-side state).express-session— server-side sessions with pluggable stores (in-memory by default, with Redis/Mongo/etc. via separate packages).
Both are listed in devDependencies (cookie-session@2.1.1, express-session@^1.18.1) for use in tests and the examples/session/ and examples/cookie-sessions/ example apps.
A typical setup:
const session = require('express-session');
const RedisStore = require('connect-redis').default;
const { createClient } = require('redis');
const redisClient = createClient();
redisClient.connect();
app.use(
session({
store: new RedisStore({ client: redisClient }),
secret: 's3cret',
resave: false,
saveUninitialized: false,
cookie: { httpOnly: true, secure: true },
})
);Once mounted, req.session and req.session.id are available downstream.
Related pages
- Response for the
res.cookieandres.clearCookiesource. - Glossary for cookie and session terminology.
- Reference / Dependencies for the cookie-related packages.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.