Open-Source Wikis

/

Express

/

Features

/

Cookies and sessions

expressjs/express

Cookies and sessions

Active contributors: dougwilson, wesleytodd, ulisesgascon

Express ships cookie writing helpers but does not parse cookies on its own. Sessions are entirely external — Express simply integrates with packages like cookie-session and express-session.

What's in core

Helper Where Notes
res.cookie(name, value, [opts]) lib/response.js Serialises with the cookie package; supports signed cookies via cookie-signature.
res.clearCookie(name, [opts]) lib/response.js Sets expires to new Date(1), strips maxAge. Express 5 ignores user-provided expires/maxAge.
req.signedCookies (set by cookie-parser) external Read-only accessor; populated by the cookie-parser middleware.

There is no req.cookies accessor in Express itself — to read cookies, mount cookie-parser middleware. Most apps do.

res.cookie('rememberme', '1', {
  maxAge: 900000, // 15 minutes (ms); converted to expires
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
});

res.cookie flow:

graph TD
    Call[res.cookie name, value, opts] --> Stringify{typeof value}
    Stringify -- object --> JStr["val = j: + JSON.stringify"]
    Stringify -- other --> AsStr[val = String value]
    JStr --> Sign{opts.signed?}
    AsStr --> Sign
    Sign -- yes --> CheckSecret{req.secret?}
    CheckSecret -- no --> Throw[throw cookieParser secret required]
    CheckSecret -- yes --> SignVal["val = s: + sign val, secret"]
    SignVal --> MaxAge
    Sign -- no --> MaxAge{opts.maxAge?}
    MaxAge -- yes --> Convert[expires = now + maxAge,<br/>maxAge = floor maxAge / 1000]
    MaxAge -- no --> Path
    Convert --> Path{opts.path?}
    Path -- no --> SetSlash["path = /"]
    Path -- yes --> Append
    SetSlash --> Append[res.append Set-Cookie, cookie.serialize ...]

A few things worth knowing:

  • Signed cookies need req.secret. That's set by cookie-parser('secret'). Without it, res.cookie('x', 'y', { signed: true }) throws.
  • Object values get the j: prefix. That's the convention cookie-parser recognises when reading.
  • maxAge is in milliseconds; Express writes both expires (an absolute Date) and Max-Age (in seconds). The cookie package handles formatting.
  • path defaults to / if not specified.
res.clearCookie('rememberme', { path: '/' });

clearCookie is implemented as res.cookie(name, '', { ...options, expires: new Date(1) }), with maxAge deleted from the options object. The Express 5 change here was to strip user-provided maxAge/expires so a stale config can't accidentally extend a "cleared" cookie's life.

Sessions

Express does not include a session store. Two packages from the expressjs/ org are commonly paired:

  • cookie-session — stores session data in a signed cookie (no server-side state).
  • express-session — server-side sessions with pluggable stores (in-memory by default, with Redis/Mongo/etc. via separate packages).

Both are listed in devDependencies (cookie-session@2.1.1, express-session@^1.18.1) for use in tests and the examples/session/ and examples/cookie-sessions/ example apps.

A typical setup:

const session = require('express-session');
const RedisStore = require('connect-redis').default;
const { createClient } = require('redis');

const redisClient = createClient();
redisClient.connect();

app.use(
  session({
    store: new RedisStore({ client: redisClient }),
    secret: 's3cret',
    resave: false,
    saveUninitialized: false,
    cookie: { httpOnly: true, secure: true },
  })
);

Once mounted, req.session and req.session.id are available downstream.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Cookies and sessions – Express wiki | Factory