2 * Connect - cookieSession
3 * Copyright(c) 2011 Sencha Inc.
11 var cookieParser = require('cookie-parser');
12 var parseUrl = require('parseurl');
13 var Cookie = require('express-session').Cookie
14 , debug = require('debug')('connect:cookieSession')
15 , signature = require('cookie-signature')
16 , onHeaders = require('on-headers')
17 , url = require('url');
22 * Cookie session middleware.
24 * var app = connect();
25 * app.use(connect.cookieParser());
26 * app.use(connect.cookieSession({ secret: 'tobo!', cookie: { maxAge: 60 * 60 * 1000 }}));
30 * - `key` cookie name defaulting to `connect.sess`
31 * - `secret` prevents cookie tampering
32 * - `cookie` session cookie settings, defaulting to `{ path: '/', httpOnly: true, maxAge: null }`
33 * - `proxy` trust the reverse proxy when setting secure cookies (via "x-forwarded-proto")
37 * To clear the session simply set its value to `null`,
38 * `cookieSession()` will then respond with a 1970 Set-Cookie.
42 * If you are interested in more sophisticated solutions,
43 * you may be interested in:
45 * - [client-sessions](https://github.com/mozilla/node-client-sessions)
47 * @param {Object} options
52 module.exports = function cookieSession(options){
53 // TODO: utilize Session/Cookie to unify API
54 options = options || {};
55 var key = options.key || 'connect.sess'
56 , trustProxy = options.proxy;
58 return function cookieSession(req, res, next) {
60 // req.secret is for backwards compatibility
61 var secret = options.secret || req.secret;
62 if (!secret) throw new Error('`secret` option required for cookie sessions');
66 var cookie = req.session.cookie = new Cookie(options.cookie);
69 var originalPath = parseUrl.original(req).pathname;
70 if (0 != originalPath.indexOf(cookie.path)) return next();
72 // cookieParser secret
73 if (!options.secret && req.secret) {
74 req.session = req.signedCookies[key] || {};
75 req.session.cookie = cookie;
78 var rawCookie = req.cookies[key];
80 var unsigned = cookieParser.signedCookie(rawCookie, secret);
82 var original = unsigned;
83 req.session = cookieParser.JSONCookie(unsigned) || {};
84 req.session.cookie = cookie;
89 onHeaders(res, function(){
92 debug('clear session');
93 cookie.expires = new Date(0);
94 res.setHeader('Set-Cookie', cookie.serialize(key, ''));
98 delete req.session.cookie;
101 var proto = (req.headers['x-forwarded-proto'] || '').toLowerCase()
102 , tls = req.connection.encrypted || (trustProxy && 'https' == proto.split(/\s*,\s*/)[0]);
104 // only send secure cookies via https
105 if (cookie.secure && !tls) return debug('not secured');
108 debug('serializing %j', req.session);
109 var val = 'j:' + JSON.stringify(req.session);
111 // compare data, no need to set-cookie if unchanged
112 if (original == val) return debug('unmodified session');
115 val = 's:' + signature.sign(val, secret);
116 val = cookie.serialize(key, val);
117 debug('set-cookie %j', cookie);
118 res.setHeader('Set-Cookie', val);