47

In most ExpressJs example, I found using cookie-parser with express-session.

If I could access session data with req.session.name without it, in what case ( or benefits ) should I be using cookie-parser?

surenyonjan
  • 2,097
  • 3
  • 17
  • 26

2 Answers2

120

For future humble coders, that will stumble upon this - I'm posting an up-to-date answer:

As the official description of express-session middleware says here: express-session

Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.

Therefore, just use express-session middleware and have a nice day.

Max Yari
  • 3,617
  • 5
  • 32
  • 56
  • According to Express' own security guidelines express-session is not production ready and should not be used: https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely – ViggoV Oct 04 '18 at 08:36
  • 9
    @ViggoV I think you mean this line `By default, it uses in-memory storage and is not designed for a production environment` ? It talks not about whole `express-session` being not prod ready, but rather about not using default in-memory storage for production, together with `express-session` you should use session store compatible with your db for persistent cookie storage and it all will be fine. – Max Yari Oct 05 '18 at 12:13
  • 2
    So cookie-parser can't be used with express-session? what if I need to both read cookie and maintain session data? – Benny Apr 28 '19 at 07:11
  • @Benny no idea if they'll conflict or not tbh. Personally I would've just checked if there's a session reading api/parsed cookies exposed on express-session. – Max Yari Aug 16 '19 at 18:19
  • @Benny from the express-session main page, it sounds like they will only conflict if the secret is different between the two modules - "Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser" – java-addict301 Dec 12 '20 at 07:47
3

In addition to providing simple cookie parsing functionality, the cookie-parser middleware enables signed cookies which can be referenced by other middleware components, using an optional secret attribute.

Why would you want signed cookies? This question addresses that well

Community
  • 1
  • 1
Ben
  • 7,548
  • 31
  • 45
  • 4
    The documentation at https://github.com/expressjs/session seems to indicate it supports a signed cookie on its own. Am I missing something? – ryanman Jan 20 '15 at 23:46