Cookie HttpOnly


Restricting access to cookies is essential for security in many web apps. For example, the session ID, the secret token used to identify a particular session, is typically stored in a cookie.

Cookies HttpOnly is a Node.js® module for getting and setting HTTP(S) cookies with the HttpOnly flag set and strict security policy. This module implemented by following the RFC 6265 Standard.

Getting Started

$3

To use Cookie HttpOnly in your project, run:

``bash
npm i cookie-httponly
`


$3

Setting location up Nginx as proxy for Nodejs application:

`bash
location @nodejs {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header IP $remote_addr;
}
`

API docs

$3

class Cookie
* constructor: new Cookie(request, response)
* cookie.has(name)
* cookie.get(name)
* [cookie.set(name, value[, options])](#cookiesetname-value-options)
* cookie.request
* cookie.response
* cookie.entries
* cookie.domain
* cookie.secure

#### class: Cookie

This class implemented by following the ECMAScript® 2018 Language Specification
Standard. To use this module:

`js
const Cookie = require('cookie-httponly');
`

#### constructor: new Cookie(request, response)

- request <http.IncomingMessage>
- response <http.ServerResponse>.

`js
const http = require('http');
const Cookie = require('cookie-httponly');

http.createServer((req, res) => {
const cookie = new Cookie(req, res);
res.end();
})
.listen(8080);
`
When the class instance is initialized successfully, the HTTP headers are read and parsed. The resulting values are available from the cookie.entries field.

> The connection must be established from the domain name (i.e., not an IP address)

#### cookie.has(name)

- name <String>
- returns: <Boolean> A true if an element with the specified key exists in the cookie.entries; otherwise false.

The method returns a Boolean value indicating whether or not an element with the specified key name exists from the cookie.entries field.

#### cookie.get(name)

- name <String>
- returns: <String | undefined> A string if an element with the specified key exists in the cookie.entries; otherwise undefined.

The method returns the value of the specified name from the cookie.entries field.

#### cookie.set(name, value[, options])

- name <String> Invalid characters will be deleted or escaped.
- value <String> Invalid characters will be deleted or escaped.
- options <Object>
- domain <String> The domain option specifies those hosts to which the cookie will be sent. For example, if the value of the domain option is 'example.com', the user agent will include the cookie in the Cookie header when making HTTP(S) requests to 'example.com', 'www.example.com', and 'www.corp.example.com'.

> NOTE That a leading '.', if present, is ignored even though that character is not permitted, but a trailing '.', if present, will cause the user agent to ignore the attribute.

If the server omits the domain options, the user agent will return the cookie only to the origin server. Domain matching the string is a host name (i.e., not an IP address). Default: cookie.domain.
- path <String> Cookie path, use '/' as the path if you want your cookie to be accessible on all pages. Default: '/'.
- expires <Date> The Expires attribute indicates the date and time at which the cookie expires. Default: current session.

> NOTE Typical session identifier might reasonably be set to expire in two weeks.
- returns: <undefined>

Installing HTTP(S) headers. Note that setting headers does not mean the appearance of values in the cookie.entries field. With the https secure connection, the method will automatically add the security flag to the headers.

An example of setting the headers to record cookies for 1 year.

`js
const http = require('http');
const Cookie = require('cookie-httponly');

http.createServer((req, res) => {
const cookie = new Cookie(req, res);
let forYear = new Date();

cookie.set('user', '84b7e44aa54d002eac8d00f5bfa9cc93410f2a48', {
expires: forYear.setUTCFullYear(forYear.getUTCFullYear() + 1)
});

res.end();
})
.listen(8080);
`

To send headers for remove of cookies by name, simply set the header with the begin date and time.

`js
const http = require('http');
const Cookie = require('cookie-httponly');

http.createServer((req, res) => {
const cookie = new Cookie(req, res);

cookie.set('user', '', {
expires: new Date(0) // Thu, 01 Jan 1970 00:00:00 GMT
});

res.end();
})
.listen(8080);
`

#### cookie.request

- <http.IncomingMessage>

#### cookie.response

- <http.ServerResponse>

#### cookie.entries

- <Map> The values of the incoming cookie.

#### cookie.domain

- <String> The value is set when creating an instance of the class from the request.headers field of the current connection. The connection must be established from the domain name (i.e., not an IP address).

#### cookie.secure

- <Boolean> true if the current session has a secure connection; otherwise false.

You can override the properties cookie.domain and cookie.secure`.