May 19, 2020
Nodejs, Express and Cookies
As you are developing app on NodeJS and Express, you may have come across many source codes, which provides you with different options to set your cookie, read the cookie and destroy the cookie. Do you just copy them blindly?
I myself met with situations that got me stuck for days, because of a cookie!
Why req.cookie is empty?
You may have done everything you can find online, setting the different options on your res.cookie and you realise, hey! req.cookie is always returning empty or undefined!
I was taught to set a cookie this way, in order to ensure my cookie is secure.
cookie: {
httpOnly: true,
sameSite: true,
signed: true,
secure: true,
}res.send('key','string',cookie)//on another route
console.log(req.cookie) //returns {}
Notice what’s wrong with the code above?
Yes, signed is set as true. I have no idea what a signed cookie was before this. However if you encounter the same situation as me, first check if your signed option is set to true. If it is, then you won’t be able to retrieve your cookie via req.cookie. You need to use this.
req.signedCookiesHow do I delete / destroy cookie? Sending res.cookie(‘cookiename’, ‘’,{maxAge: 0}) doesn’t work!
If you have copied code snippets on forums and other online resources, you would notice that those codes work, but it may not work for everyone.
In my application, I wanted a simple log out function by using fetch to call /logout route.
const logout = () => {
fetch('/logout', { method: 'POST' })
}On my server, I followed the codes online and these are some of the solutions provided, all very similar to one another
res.cookie('cookieName', '', {
domain: 'https://my.domain.com',
maxAge: 0,
overwrite: true,
});or this…
res.cookie("key","empty the key content", {expires:old date, domain:'.example.com', path:'/'});or this….
res.cookie("token", "", { expires: new Date(0),domain:'.test.com', path: '/' });And they all work. Some believe setting the domain and path are important while expiring the cookie and I tried most of them, but nothing works in all my attempts.
If you have tried above and it still doesn’t work.
server.post('/logout', (req, res, next) => {return res.cookie('jwt', 'deleted', { maxAge: 0, expires: 'Thu, 01 Jan 1970 00:00:00 GMT'}).end();})
.end() is the most important to ensure the res.cookie gets send to the client, and this is one big mistake that I made.
Now I can successfully expire the cookie, send to the client, and I can finally see the cookie disappear from the browser.
Know a trick or 2 about cookies? Share with me!
