Cookies and Sessions
Vext provides first-party cookie parsing, response cookie helpers, and an explicit session middleware. The feature is zero-dependency and works across Native, Hono, Fastify, Express, and Koa adapters.
Cookies
Every request exposes parsed cookies:
Set cookies through res.cookie() and clear them through res.clearCookie():
Multiple res.cookie() calls are emitted as multiple Set-Cookie headers. Vext does not join them with commas.
req.cookies is readonly and uses first-wins semantics for duplicate cookie names. res.cookie() also supports priority, partitioned, and a custom encode function for advanced cases.
Cookie Validation
validate.cookie validates parsed cookie values and emits OpenAPI in: cookie parameters:
Validation order is param -> query -> header -> cookie -> body.
Built-in OpenAPI docs can display validate.cookie as cookie parameters. Browser Try it out cannot set the forbidden Cookie header directly; use cookies already present for the same origin, a browser login flow, or an HTTP client such as cURL for manual cookie values.
Sessions
Session support is installed explicitly:
Use req.session in route handlers:
The session object supports:
Session metadata such as id, isNew, save, regenerate, and destroy is non-enumerable and is not persisted into the store.
Configuration
config.session provides defaults consumed by session():
secure: "auto" sends Secure only for HTTPS requests. The default memory store is suitable for development, tests, and single-process deployments. Use VextSessionStore for shared production stores:
If a custom store exposes close(), Vext treats it as store-owned lifecycle. Register an app.onClose() hook or close it in your plugin teardown; the session middleware does not automatically close stores it did not create.
Cache Safety
Route cache is conservative around cookies:
- requests with a
Cookieheader bypass cache by default - responses with
Set-Cookieare never written to cache - set
allowCookieCache: trueonly for routes whose cookie input is known to be safe