Hi I have a project in node.js and I want to set the HttpOnly flag: true for header response.
I have written the following code in app.js but it make no effect in response header .
app.use(session({
secret: "notagoodsecretnoreallydontusethisone",
resave: false,
saveUninitialized: true,
cookie: {httpOnly: true, secure: true}
}));
So any suggestion for setting HttpOnly Flag in express.js is most wele.
Hi I have a project in node.js and I want to set the HttpOnly flag: true for header response.
I have written the following code in app.js but it make no effect in response header .
app.use(session({
secret: "notagoodsecretnoreallydontusethisone",
resave: false,
saveUninitialized: true,
cookie: {httpOnly: true, secure: true}
}));
So any suggestion for setting HttpOnly Flag in express.js is most wele.
- If you want to set it true, why is your code explicitly setting it to false? – Quentin Commented Nov 23, 2015 at 14:04
- sorry mistake was there ,i just edited – arjun kori Commented Nov 23, 2015 at 14:06
- I am using this same code but this has no effect .. – arjun kori Commented Nov 23, 2015 at 14:06
- 1 Which version of Express and Express Session middleware are you using? – nikc Commented Nov 23, 2015 at 14:07
- both has version of 1.4.28 – arjun kori Commented Nov 23, 2015 at 14:10
2 Answers
Reset to default 8I think you could try this!
app.use(session({
cookieName: 'sessionName',
secret: "notagoodsecretnoreallydontusethisone",
resave: false,
saveUninitialized: true,
httpOnly: true, // dont let browser javascript access cookie ever
secure: true, // only use cookie over https
ephemeral: true // delete this cookie while browser close
}));
This example uses cookie-parser library.
Setting a cookie: res.cookie("cookie_name", token, {})
Pass res.cookie() an options object with httpOnly: true,
const options = {
expires: duration,
httpOnly: true,
};
Final e.g.
res.cookie("cookie_name", token, options)
- https://www.npmjs./package/cookie-parser
- https://expressjs./en/resources/middleware/cookie-parser.html