Parse HTTP request cookies
cookie-parser is Express middleware that parses the Cookie header from incoming HTTP requests and populates req.cookies with an object keyed by cookie names. Without this middleware, accessing cookies requires manually parsing the raw Cookie header string, which is error-prone and tedious.
The package handles both unsigned and signed cookies. Signed cookies use HMAC-based signatures to detect client-side tampering, making them suitable for storing sensitive data like session identifiers or user preferences. When you provide a secret key during initialization, cookie-parser automatically verifies signed cookies and places them in req.signedCookies instead of req.cookies.
With nearly 6 million weekly downloads, cookie-parser is the de facto standard for cookie handling in Express applications. It's maintained as part of the Express.js ecosystem and follows the middleware pattern that Express developers expect. While modern frameworks like Next.js provide built-in cookie handling, cookie-parser remains essential for traditional Express applications that need reliable cookie parsing without reinventing the wheel.
The package is particularly valuable in authentication workflows, user tracking, and any scenario where you need to maintain state between HTTP requests. It integrates seamlessly with session management libraries and works alongside other Express middleware without conflicts.
const express = require('express');
const cookieParser = require('cookie-parser');
const app = express();
const SECRET_KEY = 'your-secret-key-min-32-chars';
app.use(cookieParser(SECRET_KEY));
app.get('/', (req, res) => {
const visitCount = parseInt(req.cookies.visits || '0') + 1;
res.cookie('visits', visitCount, {
maxAge: 900000,
httpOnly: true
});
res.cookie('user_pref', 'dark_mode', {
signed: true,
httpOnly: true,
secure: process.env.NODE_ENV === 'production'
});
res.json({
visits: visitCount,
unsignedCookies: req.cookies,
signedCookies: req.signedCookies
});
});
app.get('/validate-session', (req, res) => {
const sessionToken = req.signedCookies.session_token;
if (!sessionToken) {
return res.status(401).json({ error: 'No valid session' });
}
res.json({ authenticated: true, token: sessionToken });
});
app.listen(3000, () => {
console.log('Server running on http://localhost:3000');
});Authentication systems: Parse JWT tokens or session IDs stored in cookies to identify authenticated users on each request. The signed cookie feature ensures tokens haven't been modified client-side.
User preferences and settings: Store non-sensitive user preferences like theme selection, language choice, or display settings in cookies that persist across sessions without requiring database lookups.
Shopping cart persistence: Maintain shopping cart state for anonymous users by storing cart IDs in cookies, allowing users to leave and return without losing their selections.
Analytics and tracking: Read tracking cookies set by analytics tools or A/B testing frameworks to segment users and personalize content based on previous behavior.
CSRF protection: Parse CSRF tokens from cookies to validate against tokens submitted in request bodies or headers, preventing cross-site request forgery attacks in forms and API calls.
npm install cookie-parserpnpm add cookie-parserbun add cookie-parser