Missing Secure and HttpOnly flags on parsed cookies

jshttp / cookie

HTTP server cookie parsing and serialization

MIT License

1.36k stars 159 forks source link

Missing Secure and HttpOnly flags on parsed cookies #115

Closed lewispham closed 4 years ago

lewispham commented 4 years ago

It looks like cookie.parse is bypassing all values whose dont follow the key=value format. But shouldn't they be parsed with a boolean output instead?

Reproduce

cookie.parse (`foo=bar; HttpOnly; Secure`);

Current output

{ foo: "bar" };

Expected output

{ foo: "bar", Secure: true, HttpOnly: true }

dougwilson commented 4 years ago

From the docs (https://github.com/jshttp/cookie#cookieparsestr-options):

Parse an HTTP Cookie header string and returning an object of all cookie name-value pairs.

The Cookie header does not have httponly and secure flags like you are showing; that is the Set-Cookie header, which this module does not provide a parsing function for.