Koa's Cookie and Session management are foundational features for building web applications. Koa core provides Cookie operations, while Session needs to be implemented through middleware.
1. Cookie Operations:
Koa core has built-in Cookie functionality, operated through the ctx.cookies object.
Setting Cookie:
app.use(async (ctx) => { // Basic setting ctx.cookies.set('name', 'value'); // Setting with options ctx.cookies.set('username', 'john', { maxAge: 3600000, // Expiration (milliseconds) expires: new Date('2025-12-31'), // Expiration date path: '/', // Path domain: '.example.com', // Domain secure: true, // HTTPS only httpOnly: true, // HTTP only, prevent XSS sameSite: 'strict', // CSRF protection signed: true // Signed cookie }); ctx.body = 'Cookie set'; });
Getting Cookie:
app.use(async (ctx) => { const username = ctx.cookies.get('username'); ctx.body = `Hello ${username}`; });
Deleting Cookie:
app.use(async (ctx) => { ctx.cookies.set('username', null, { maxAge: 0, path: '/' }); ctx.body = 'Cookie deleted'; });
2. Session Management:
Use koa-session middleware to implement Session functionality.
Install:
npm install koa-session
Basic configuration:
const session = require('koa-session'); const sessionConfig = { key: 'koa.sess', // Cookie name maxAge: 86400000, // Expiration (milliseconds) autoCommit: true, // Auto commit overwrite: true, // Overwrite httpOnly: true, // HTTP only signed: true, // Signed rolling: false, // Update expiration on each request renew: false, // Auto renew when near expiration secure: false, // HTTPS only sameSite: null, // SameSite policy }; app.keys = ['your-secret-key']; // Must set for signing app.use(session(sessionConfig, app));
Session usage:
// Set Session app.use(async (ctx) => { if (ctx.path === '/login') { ctx.session.user = { id: 1, name: 'John', role: 'admin' }; ctx.body = 'Logged in'; } }); // Get Session app.use(async (ctx) => { if (ctx.path === '/profile') { const user = ctx.session.user; if (user) { ctx.body = `Welcome ${user.name}`; } else { ctx.throw(401, 'Not logged in'); } } }); // Delete Session app.use(async (ctx) => { if (ctx.path === '/logout') { ctx.session = null; ctx.body = 'Logged out'; } });
3. Redis Session Storage:
For production, it's recommended to use Redis for Session storage.
Install:
npm install koa-session koa-redis
Configure Redis Session:
const session = require('koa-session'); const RedisStore = require('koa-redis'); const redisStore = RedisStore({ host: 'localhost', port: 6379, password: 'your-password', db: 0 }); const sessionConfig = { store: redisStore, key: 'koa.sess', maxAge: 86400000, httpOnly: true, signed: true }; app.keys = ['your-secret-key']; app.use(session(sessionConfig, app));
4. Authentication middleware example:
// Authentication middleware async function authMiddleware(ctx, next) { if (!ctx.session.user) { ctx.throw(401, 'Unauthorized'); } await next(); } // Use authentication middleware router.get('/protected', authMiddleware, async (ctx) => { ctx.body = `Welcome ${ctx.session.user.name}`; });
5. JWT Token Authentication:
Use jsonwebtoken and koa-jwt to implement JWT authentication.
Install:
npm install jsonwebtoken koa-jwt
Generate Token:
const jwt = require('jsonwebtoken'); app.use(async (ctx) => { if (ctx.path === '/login') { const { username, password } = ctx.request.body; // Verify user const user = await authenticateUser(username, password); // Generate Token const token = jwt.sign( { id: user.id, name: user.name }, 'your-secret-key', { expiresIn: '24h' } ); ctx.body = { token }; } });
Verify Token:
const jwt = require('koa-jwt'); app.use(jwt({ secret: 'your-secret-key' }).unless({ path: [/^\/public/, '/login', '/register'] })); // Access user info app.use(async (ctx) => { ctx.body = ctx.state.user; });
6. Complete authentication flow example:
const Koa = require('koa'); const Router = require('@koa/router'); const session = require('koa-session'); const jwt = require('jsonwebtoken'); const koaJwt = require('koa-jwt'); const app = new Koa(); const router = new Router(); // Session configuration app.keys = ['secret-key']; app.use(session({ key: 'koa.sess', maxAge: 86400000 }, app)); // JWT middleware app.use(koaJwt({ secret: 'jwt-secret' }).unless({ path: [/^\/api\/auth/] })); // Login route router.post('/api/auth/login', async (ctx) => { const { username, password } = ctx.request.body; // Verify user const user = await User.findOne({ username }); if (!user || !await user.comparePassword(password)) { ctx.throw(401, 'Invalid credentials'); } // Set Session ctx.session.user = { id: user.id, name: user.name }; // Generate JWT Token const token = jwt.sign( { id: user.id, name: user.name }, 'jwt-secret', { expiresIn: '24h' } ); ctx.body = { token, user: { id: user.id, name: user.name } }; }); // Protected route router.get('/api/user/profile', async (ctx) => { ctx.body = ctx.state.user; }); // Logout route router.post('/api/auth/logout', async (ctx) => { ctx.session = null; ctx.body = { message: 'Logged out' }; }); app.use(router.routes());
7. Security best practices:
-
Cookie security:
- Always set
httpOnly: trueto prevent XSS - Use
secure: truefor HTTPS only in production - Set
sameSite: 'strict'to prevent CSRF - Use signed cookies to prevent tampering
- Always set
-
Session security:
- Use strong random keys
- Set reasonable expiration time
- Use Redis storage in production
- Clear session on logout
-
JWT security:
- Use strong secrets
- Set reasonable expiration time
- Use HTTPS for transmission
- Implement token refresh mechanism
-
Other security measures:
- Limit login attempts
- Implement password strength validation
- Log authentication events
- Regularly update secrets