res.cookie()
Sets a cookie on the response with optional attributes.
Syntax
res.cookie(name, value[, options])Parameters
| Name | Type | Required | Description |
|---|---|---|---|
name | string | Yes | The cookie name. |
value | string | object | Yes | The cookie value (objects are JSON-serialized). |
options | object | No | `maxAge`, `expires`, `httpOnly`, `secure`, `sameSite`, `signed`, `domain`, `path`. |
Returns
Response — The response object.
Examples
app.get('/login', (req, res) => {
res.cookie('sid', 'abc123', {
httpOnly: true,
secure: true,
sameSite: 'lax',
maxAge: 86400000,
});
res.send('logged in');
});
Output
Set-Cookie: sid=abc123; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
app.get('/x', (req, res) => {
res.cookie('prefs', { theme: 'dark' }, { signed: true });
res.end();
});
Notes
For session cookies always set `httpOnly` (blocks JS access),
`secure` (HTTPS only), and `sameSite` (CSRF mitigation). `signed:
true` requires `cookie-parser` with a secret. `maxAge` is in
milliseconds.