How to access client cookie (with session ID) created by node.js Express?

Question

I thought I understood how Cookies worked, but I guess not since I'm stuck on the following:

I cannot display a cookie with document.cookie, testing with alert(document.cookie); in my code.

I am playing around with node and have the following code snippet up on my server (everything else works and serving pages with Express):

var express = require('express')
, util = require('util')
, MemoryStore = express.session.MemoryStore
, app = express.createServer()
, sessionStore = new MemoryStore();

app.configure(function() {
    app.set('views', __dirname + '/views');
    app.set('view engine', 'ejs');
    app.use(express.logger());
    app.use(express.cookieParser());
    app.use(express.bodyParser());
    app.use(express.methodOverride());
    app.use(express.session({ 
            store: sessionStore, 
            secret: 'BBQ12345AHHH',
            key: 'cookie.sid' }));
    app.use(app.router);
    app.use(express.static(__dirname + '/public'));
    });

On my server, I see a cookie being sent when I hit index.ejs. Chrome also shows a cookie being sent in the header on index.ejs. However, when I add alert(document.cookie) in the of the index.ejs page, the alert is blank. What am I doing wrong?

Thanks

Answer 1

The Connect session cookies default to httpOnly which Chrome respects, I.E. the cookies are inaccessible by client side javascript.

A session cookie doesn't need to be read by client side javascript, unless it's by malicious XSS scripts so it's all good.

If you wanna override it though, try:

app.use(express.session({ 
  store: sessionStore, 
  secret: 'BBQ12345AHHH',
  cookie: {httpOnly: false},
  key: 'cookie.sid' }          
))

Source http://www.senchalabs.org/connect/session.html#session