npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

tough-cookie

v5.0.0

Published

RFC6265 Cookies and Cookie Jar for node.js

Downloads

196,281,051

Readme

Tough Cookie · RFC6265 RFC6265bis npm version CI on Github Actions: salesforce/tough-cookie PRs Welcome

A Node.js implementation of RFC6265 for cookie parsing, storage, and retrieval.

Getting Started

Install Tough Cookie using npm:

npm install tough-cookie

or yarn:

yarn add tough-cookie

Usage

import { Cookie, CookieJar } from 'tough-cookie'

// parse a `Cookie` request header
const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1'.split(';').map(Cookie.parse)
// generate a `Cookie` request header
const cookieHeader = reqCookies.map(cookie => cookie.cookieString()).join(';')

// parse a Set-Cookie response header
const resCookie = Cookie.parse('foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT')
// generate a Set-Cookie response header
const setCookieHeader = cookie.toString()

// store and retrieve cookies
const cookieJar = new CookieJar() // uses the in-memory store by default
await cookieJar.setCookie(resCookie, 'https://example.com/')
const matchingCookies = await cookieJar.getCookies('https://example.com/')

[!IMPORTANT] For more detailed usage information, refer to the API docs.

RFC6265bis

Support for RFC6265bis is being developed. As these revisions to RFC6252 are still in Active Internet-Draft state, the areas of support that follow are subject to change.

SameSite Cookies

This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF attacks by disallowing SameSite cookies from being sent cross-origin.

Example

import { CookieJar } from 'tough-cookie'

const cookieJar = new CookieJar() // uses the in-memory store by default

// storing cookies with various SameSite attributes
await cookieJar.setCookie('strict=authorized; SameSite=strict', 'http://example.com/index.html')
await cookieJar.setCookie('lax=okay; SameSite=lax', 'http://example.com/index.html')
await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html')

// retrieving cookies using a SameSite context
const laxCookies = await cookieJar.getCookies('http://example.com/index.html', {
  // the first cookie (strict=authorized) will not be returned if the context is 'lax'
  // but the other two cookies will be returned
  sameSiteContext: 'lax',
})

[!NOTE] It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.

Cookie Prefixes

Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by inspecting the first few characters of the cookie's name.

Two prefixes are defined:

  • "__Secure-"

    If a cookie's name begins with a case-sensitive match for the string __Secure-, then the cookie was set with a "Secure" attribute.

  • "__Host-"

    If a cookie's name begins with a case-sensitive match for the string __Host-, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.

If prefixSecurity is enabled for CookieJar, then cookies that match the prefixes defined above but do not obey the attribute restrictions are not added.

You can define this functionality by passing in the prefixSecurity option to CookieJar. It can be one of 3 values:

  1. silent: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.
  2. strict: Enable cookie prefix checking and error out if conditions are not met.
  3. unsafe-disabled: Disable cookie prefix checking.

If ignoreError is passed in as true when setting a cookie then the error is silent regardless of the prefixSecurity option (assuming it's enabled).

Example

import { CookieJar, MemoryCookieStore } from 'tough-cookie'

const cookieJar = new CookieJar(new MemoryCookieStore(), {
  prefixSecurity: 'silent'
})

// this cookie will be silently ignored since the url is insecure (http)
await cookieJar.setCookie(
  '__Secure-SID=12345; Domain=example.com; Secure;',
  'http://example.com',
)

// this cookie will be stored since the url is secure (https)
await cookieJar.setCookie(
  '__Secure-SID=12345; Domain=example.com; Secure;',
  'https://example.com',
)

[!NOTE] It is highly recommended that you read RFC6265bis - Section 4.1.3 for more details on Cookie Prefixes.

Node.js Version Support

We follow the Node.js release schedule and support all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support for older versions of node, and we will do so in consultation with our community.