Validate session cookies
This guide is also available for:
CSRF protection must be implemented when using cookies and forms. This can be easily done by comparing the Origin
and Host
header.
For non-GET requests, check the request origin. You can use readSessionCookie()
to get the session cookie from a HTTP Cookie
header, and validate it with Lucia.validateSession()
. Make sure to delete the session cookie if it's invalid and create a new session cookie when the expiration gets extended, which is indicated by Session.fresh
.
import { verifyRequestOrigin } from "lucia";
// Only required in non-GET requests (POST, PUT, DELETE, PATCH, etc)
const originHeader = request.headers.get("Origin");
// NOTE: You may need to use `X-Forwarded-Host` instead
const hostHeader = request.headers.get("Host");
if (!originHeader || !hostHeader || !verifyRequestOrigin(originHeader, [hostHeader])) {
return new Response(null, {
status: 403
});
}
const cookieHeader = request.headers.get("Cookie");
const sessionId = lucia.readSessionCookie(cookieHeader ?? "");
if (!sessionId) {
return new Response(null, {
status: 401
});
}
const headers = new Headers();
const { session, user } = await lucia.validateSession(sessionId);
if (!session) {
const sessionCookie = lucia.createBlankSessionCookie();
headers.append("Set-Cookie", sessionCookie.serialize());
}
if (session && session.fresh) {
const sessionCookie = lucia.createSessionCookie(session.id);
headers.append("Set-Cookie", sessionCookie.serialize());
}
If your framework provides utilities for cookies, you can get the session cookie name with Lucia.sessionCookieName
.
const sessionId = getCookie(lucia.sessionCookieName);
When setting cookies you can get the cookies name, value, and attributes from the Cookie
object.
const sessionCookie = lucia.createSessionCookie(sessionId);
setCookie(sessionCookie.name, sessionCookie.value, sessionCookie.attributes);