feat: add support to dynamic cookie options (#1027)

Co-authored-by: Sebastian Beltran <bjohansebas@gmail.com>
Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>

Author: 3 people

HISTORY.md

@@ -2,6 +2,27 @@
 
 ### 🚀 Improvements
 
+* Add dynamic cookie options support
+
+    Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request.  This feature enables programmatic modification of cookie attributes like `secure`, `httpOnly`, `sameSite`, `maxAge`, `domain`, and `path` based on session or request conditions.
+
+    ```js
+    var app = express()
+    app.use(session({
+      secret: 'keyboard cat',
+      resave: false,
+      saveUninitialized: true,
+      cookie: function (req) {
+        var match = req.url.match(/^\/([^/]+)/);
+        return {
+          path: match ? '/' + match[1] : '/',
+          httpOnly: true,
+          secure: req.secure || false,
+          maxAge: 60000
+        }
+      }
+    }))
+    ```
 * Add sameSite 'auto' support for automatic SameSite attribute configuration
 
     Added `sameSite: 'auto'` option for cookie configuration that automatically sets `SameSite=None` for HTTPS and `SameSite=Lax` for HTTP connections, simplifying cookie handling across different environments.

README.md

@@ -49,6 +49,26 @@ For a list of stores, see [compatible session stores](#compatible-session-stores
 Settings object for the session ID cookie. The default value is
 `{ path: '/', httpOnly: true, secure: false, maxAge: null }`.
 
+In addition to providing a static object, you can also pass a callback function to dynamically generate the cookie options for each request. The callback receives the `req` object as its argument and should return an object containing the cookie settings.
+
+```js
+var app = express()
+app.use(session({
+  secret: 'keyboard cat',
+  resave: false,
+  saveUninitialized: true,
+  cookie: function(req) {
+    var match = req.url.match(/^\/([^/]+)/);
+    return {
+      path: match ? '/' + match[1] : '/',
+      httpOnly: true,
+      secure: req.secure || false,
+      maxAge: 60000
+    }
+  }
+}))
+```
+
 The following are options that can be set in this object.
 
 ##### cookie.domain

index.js

@@ -70,7 +70,7 @@ var defer = typeof setImmediate === 'function'
  * Setup session store with the given `options`.
  *
  * @param {Object} [options]
- * @param {Object} [options.cookie] Options for cookie
+ * @param {Object|Function} [options.cookie] Options for cookie
  * @param {Function} [options.genid]
  * @param {String} [options.name=connect.sid] Session ID cookie name
  * @param {Boolean} [options.proxy]
@@ -158,7 +158,7 @@ function session(options) {
   store.generate = function(req){
     req.sessionID = generateId(req);
     req.session = new Session(req);
-    req.session.cookie = new Cookie(cookieOptions);
+    req.session.cookie = new Cookie(typeof cookieOptions === 'function' ? cookieOptions(req) : cookieOptions);
 
     var isSecure = issecure(req, trustProxy);
 
@@ -199,7 +199,8 @@ function session(options) {
 
     // pathname mismatch
     var originalPath = parseUrl.original(req).pathname || '/'
-    if (originalPath.indexOf(cookieOptions.path || '/') !== 0) {
+    var resolvedCookieOptions = typeof cookieOptions === 'function' ? cookieOptions(req) : cookieOptions
+    if (originalPath.indexOf(resolvedCookieOptions.path || '/') !== 0) {
       debug('pathname mismatch')
       next()
       return

test/session.js

@@ -802,6 +802,58 @@ describe('session()', function(){
       })
     })
 
+    describe('when "cookie" is a function', function () {
+      it('should call custom function and apply cookie options', function (done) {
+        var cookieCallbackCalled = false;
+        var cookieCallback = function () {
+          cookieCallbackCalled = true;
+          return { path: '/test', httpOnly: true, secure: false };
+        };
+        var server = createServer({ cookie: cookieCallback });
+        request(server)
+          .get('/test')
+          .expect(
+            shouldSetCookieWithAttributeAndValue('connect.sid', 'Path', '/test')
+          )
+          .expect(shouldSetCookieWithAttribute('connect.sid', 'HttpOnly'))
+          .expect(shouldSetCookieWithoutAttribute('connect.sid', 'Secure'))
+          .expect(200, function (err) {
+            if (err) return done(err);
+            assert.strictEqual(
+              cookieCallbackCalled,
+              true,
+              'should have called cookie callback'
+            );
+            done();
+          });
+      });
+
+      it('should provide req argument', function (done) {
+        var _path = '/test';
+        var cookieCallbackCalled = false;
+        var cookieCallback = function (req) {
+          cookieCallbackCalled = true;
+          return { path: req.url, httpOnly: true, secure: false };
+        };
+        var server = createServer({ cookie: cookieCallback });
+        request(server)
+          .get(_path)
+          .expect(
+            shouldSetCookieWithAttributeAndValue('connect.sid', 'Path', _path)
+          )
+          .expect(shouldSetCookieWithAttribute('connect.sid', 'HttpOnly'))
+          .expect(shouldSetCookieWithoutAttribute('connect.sid', 'Secure'))
+          .expect(200, function (err) {
+            if (err) return done(err);
+            assert.strictEqual(
+              cookieCallbackCalled,
+              true,
+              'should have called cookie callback'
+            );
+            done();
+          });
+      });
+    });
     describe('when "sameSite" set to "auto"', function () {
       describe('basic functionality', function () {
         before(function () {