Skip to content
Related Articles

Related Articles

Improve Article
Save Article
Like Article

req.cookies and req.signedCookies in Express.js

  • Difficulty Level : Medium
  • Last Updated : 26 Nov, 2021

req.cookies: Request.Cookies are supposed to be cookies that come from client (browser) and Response.Cookies are cookies that will send back to client (browser). Cookies are small files/data that are sent to the client with a server request and stored on the client side. This helps us to keep track of the user’s actions.

Cookie-parser is a middleware that parses cookies attached to the client request object. When we use cookie-parser middleware then this property is an object that contains cookies sent by the request. If the request contains no cookies, it defaults to { }.

Example:

Javascript




var cookieParser = require('cookie-parser');
var express = require('express');
var app = express();
var PORT = 3000;
 
app.use(cookieParser());
 
app.get('/user', function (req, res) {
    req.cookies.name='Gourav';
    req.cookies.age=12;
 
    console.log(req.cookies);
    res.send();
});
 
app.listen(PORT, function(err){
    if (err) console.log(err);
    console.log("Server listening on PORT", PORT);
});

Output: Now open your browser and make GET request to http://localhost:3000/user, now you can see the following output on your console:



Server listening on PORT 3000
[Object: null prototype] { name: 'Gourav', age: 12 }

req.signedCookies: The req.signedCookies property contains signed cookies sent by the request, unsigned, and ready for use when using cookie-parser middleware. Signing a cookie does not make it hidden or encrypted but simply prevents tampering with the cookie. It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.If it does not match, then it gives an error. If no signed cookies are sent then the property defaults to { }.

Example:

Javascript




var cookieParser = require('cookie-parser');
var express = require('express');
var app = express();
var PORT = 3000;
 
app.use(cookieParser());
 
app.get('/user', function (req, res) {
 
    // Setting multiple cookies
    req.signedCookies.title='Gourav';
    req.signedCookies.age=12;
 
    console.log(req.signedCookies);
    res.send();
});
 
app.listen(PORT, function(err){
    if (err) console.log(err);
    console.log("Server listening on PORT", PORT);
});

Output: Now open your browser and make GET request to http://localhost:3000/user, now you can see the following output on your console:

Server listening on PORT 3000
[Object: null prototype] { title: 'Gourav', age: 12 }

Difference between req.cookies and req.signedCookies – 

                       req.cookies                           req.signedCookies
We cannot identify if the data being returned to the cookie is modified by the client or not. We use a signed cookie if we want assurance that the data being returned to the cookie has not been modified by the client.
If the request contains no cookies, it defaults to { }.If no signed cookies are sent then this property defaults to { }.
Server cannot detect if the cookies are changed by the client.Server can detect if the cookies are changed by the client.
No case of adding a signature to the cookie.Signature is added as part of the cookie along with the actual cookie data. The signature is derived from the cookie data and from a secret that is known only to the server.



My Personal Notes arrow_drop_up
Recommended Articles
Page :