npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

passport-cookie-session

v1.0.1

Published

Encrypted, cookie-based session middleware compatible with PassportJS

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

robodin08robodin08

Keywords

passportcookiesessionexpressencryption

Readme

passport-cookie-session

npm version npm downloads

A simple Express middleware to manage encrypted cookie sessions, specially designed to work seamlessly with PassportJS authentication.

This package stores session data directly in an encrypted cookie, eliminating the need for a server-side session store.

Table of Contents

Features

  • 🔐 AES-256-GCM encryption (or custom)
  • 🔁 Key rotation support
  • 🪪 Built for PassportJS
  • 💡 Lightweight & stateless

Installation

npm install passport-cookie-session

Usage

const express = require('express');
const passport = require('passport');
const passportCookieSession = require('passport-cookie-session');
const app = express();

app.use(passportCookieSession({
  name: 'auth',  // Optional. Default: 'session' — session cookie name

  keys: ['super-secret-key', 'old-key'],
  // Required. First key encrypts new cookies.
  // Others are accepted for decrypting old cookies (key rotation support).

  cookie: {
    httpOnly: true,     // Optional. Default: true — prevents JS access to cookie
    secure: false,      // Optional. Default: false — set true if using HTTPS
    sameSite: 'lax',    // Optional. Default: 'lax' — helps prevent CSRF
    path: '/',          // Optional. Default: '/' — cookie path scope
    maxAge: 60 * 60,    // Optional. Default: 86400 (1 day) — duration in seconds
    // domain: 'example.com' // Optional. Default: current domain
  },

  maxCookieSize: 4096,  // Optional. Default: 4096 bytes — max size, stay within browser limits

  // 🔐 Custom async encryption/decryption functions (optional)
  // Must return within the timeout or will throw.
  // ⚠️ WARNING: Example uses insecure XOR cipher. Do NOT use in production!

  encrypt: async function (data, signingKey) {
    const secretChars = signingKey.split('').map(c => c.charCodeAt(0));
    const textChars = data.split('').map(c => c.charCodeAt(0));
    const encryptedChars = textChars.map((ch, i) => ch ^ secretChars[i % secretChars.length]);
    return Buffer.from(encryptedChars).toString('base64');
  },

  decrypt: async function (data, signingKey) {
    const secretChars = signingKey.split('').map(c => c.charCodeAt(0));
    const encryptedChars = Buffer.from(data, 'base64');
    const decryptedChars = [...encryptedChars].map((ch, i) => ch ^ secretChars[i % secretChars.length]);
    return String.fromCharCode(...decryptedChars);
  },

  timeout: 3000,         // Optional. Default: 3000ms — max allowed time for encrypt/decrypt

  checkEncryption: true, // Optional. Default: false
  // Runs a startup check of your custom encrypt/decrypt functions in non-production environments.
  // Recommended during development to ensure your functions correctly round-trip data.
}));

app.use(passport.initialize());
app.use(passport.session());

// You must add and configure a Passport strategy for authentication, e.g.:
// passport.use(new LocalStrategy(...));

// Example serialization/deserialization
passport.serializeUser((user, done) => {
  done(null, { id: user.id, username: user.username });
});
passport.deserializeUser((user, done) => done(null, user));

API

passport-cookie-session(options)

Creates Express middleware for encrypted cookie sessions.

Options:

  • name (string) — Cookie name (default: 'session').

  • keys (string[]) — Secret keys:

    • First key is used to encrypt new cookies.
    • Remaining keys are accepted for decrypting old cookies (key rotation).

  • cookie (object) — Cookie options (see cookie npm docs):

    • path (default '/')
    • httpOnly (default true)
    • secure (default false)
    • sameSite (default 'lax')
    • maxAge (seconds; default 86400)
    • domain (optional)

  • maxCookieSize (number) — Maximum allowed cookie size in bytes (default: 4096).
    Keep within browser limits (typically 4096 bytes). Sessions exceeding this size will be rejected.
    Note: Session size may vary with user data length, so plan accordingly.

  • encrypt(data, key) (async function) — Optional custom encryption function.

  • decrypt(encrypted, key) (async function) — Optional custom decryption function.

  • timeout (number) — Optional timeout in milliseconds for encrypt/decrypt functions (default: 3000).

  • checkEncryption (boolean) — Optional (default: false).
    Enables a startup check that runs your custom encrypt/decrypt functions to verify correct round-trip encryption.
    Runs only in non-production environments. Strongly recommended during development if using custom functions.

Security Notes

  • Always use HTTPS in production and set secure: true.
  • Rotate keys by adding new keys at the start of the keys array.
  • Custom encrypt/decrypt should be cryptographically secure in real applications.
  • Avoid storing large or sensitive data in the session cookie — keep payload minimal (e.g., user ID).
  • Pay attention to the maxCookieSize to avoid cookie overflow and unexpected behavior.

License

MIT © robodin08