You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
import{Cookie,CookieJar}from'tough-cookie'// parse a `Cookie` request headerconstreqCookies='ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1'.split(';').map(Cookie.parse)// generate a `Cookie` request headerconstcookieHeader=reqCookies.map((cookie)=>cookie.cookieString()).join(';')// parse a Set-Cookie response headerconstresCookie=Cookie.parse('foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT',)// generate a Set-Cookie response headerconstsetCookieHeader=cookie.toString()// store and retrieve cookiesconstcookieJar=newCookieJar()// uses the in-memory store by defaultawaitcookieJar.setCookie(resCookie,'https://example.com/')constmatchingCookies=awaitcookieJar.getCookies('https://example.com/')
Important
For more detailed usage information, refer to the API docs.
RFC6265bis
Support for RFC6265bis is being developed. As these revisions to RFC6252 are
still in Active Internet-Draft state, the areas of support that follow are subject to change.
SameSite Cookies
This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF
attacks by disallowing SameSite cookies from being sent cross-origin.
Example
import{CookieJar}from'tough-cookie'constcookieJar=newCookieJar()// uses the in-memory store by default// storing cookies with various SameSite attributesawaitcookieJar.setCookie('strict=authorized; SameSite=strict','https://example.com/index.html',)awaitcookieJar.setCookie('lax=okay; SameSite=lax','https://example.com/index.html',)awaitcookieJar.setCookie('normal=whatever','https://example.com/index.html')// retrieving cookies using a SameSite contextconstlaxCookies=awaitcookieJar.getCookies('https://example.com/index.html',{// the first cookie (strict=authorized) will not be returned if the context is 'lax'// but the other two cookies will be returnedsameSiteContext: 'lax',})
Note
It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.
Cookie Prefixes
Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by
inspecting the first few characters of the cookie's name.
Two prefixes are defined:
"__Secure-"
If a cookie's name begins with a case-sensitive match for the string __Secure-, then the cookie was set with a "Secure" attribute.
"__Host-"
If a cookie's name begins with a case-sensitive match for the string __Host-, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.
If prefixSecurity is enabled for CookieJar, then cookies that match the prefixes defined above but do
not obey the attribute restrictions are not added.
You can define this functionality by passing in the prefixSecurity option to CookieJar. It can be one of 3 values:
silent: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.
strict: Enable cookie prefix checking and error out if conditions are not met.
unsafe-disabled: Disable cookie prefix checking.
If ignoreError is passed in as true when setting a cookie then the error is silent regardless of the prefixSecurity option (assuming it's enabled).
Example
import{CookieJar,MemoryCookieStore}from'tough-cookie'constcookieJar=newCookieJar(newMemoryCookieStore(),{prefixSecurity: 'silent',})// this cookie will be silently ignored since the url is insecure (http)awaitcookieJar.setCookie('__Secure-SID=12345; Domain=example.com; Secure;','https://example.com',)// this cookie will be stored since the url is secure (https)awaitcookieJar.setCookie('__Secure-SID=12345; Domain=example.com; Secure;','https://example.com',)
We follow the Node.js release schedule and support
all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support
for older versions of node, and we will do so in consultation with our community.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
