when should I use cookie-parser with express-session?
Solution 1
For future humble coders, that will stumble upon this - I'm posting an up-to-date answer:
As the official description of express-session
middleware says here: express-session
Since version 1.5.0, the
cookie-parser
middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Usingcookie-parser
may result in issues if the secret is not the same between this module andcookie-parser
.
Therefore, just use express-session middleware and have a nice day.
Solution 2
In addition to providing simple cookie parsing functionality, the cookie-parser
middleware enables signed cookies which can be referenced by other middleware components, using an optional secret
attribute.
Why would you want signed cookies? This question addresses that well
surenyonjan
Updated on July 09, 2022Comments
-
surenyonjan almost 2 years
In most ExpressJs example, I found using
cookie-parser
withexpress-session
.If I could access session data with
req.session.name
without it, in what case ( or benefits ) should I be usingcookie-parser
? -
ryanman over 9 yearsThe documentation at github.com/expressjs/session seems to indicate it supports a signed cookie on its own. Am I missing something?
-
ViggoV over 5 yearsAccording to Express' own security guidelines express-session is not production ready and should not be used: expressjs.com/en/advanced/…
-
Max Yari over 5 years@ViggoV I think you mean this line
By default, it uses in-memory storage and is not designed for a production environment
? It talks not about wholeexpress-session
being not prod ready, but rather about not using default in-memory storage for production, together withexpress-session
you should use session store compatible with your db for persistent cookie storage and it all will be fine. -
Benny about 5 yearsSo cookie-parser can't be used with express-session? what if I need to both read cookie and maintain session data?
-
Max Yari over 4 years@Benny no idea if they'll conflict or not tbh. Personally I would've just checked if there's a session reading api/parsed cookies exposed on express-session.
-
java-addict301 over 3 years@Benny from the express-session main page, it sounds like they will only conflict if the secret is different between the two modules - "Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser"