2. Tutorials
  3. hapi — How to Manage Cookies and HTTP States Across Requests

hapi — How to Manage Cookies and HTTP States Across Requests

HTTP as a stateless protocol won’t keep the client’s state across different requests in your application. A common example for this scenario is the log-in and afterwards remember the user credentials for a defined time interval, like until the browser window gets closed. In case you don’t save the HTTP state across requests, the user needs to sign in again on every page that requires authentication.

This tutorial will show you how to save states for a client across requests and also how to update the associated data or remove the state at all.

hapi Series Overview

  1. Get Your Server Up and Running
  2. v17 Upgrade Guide (Your Move to async/await)
  3. Become a Better Developer in 2018
  4. Become a Better Developer in 2017
  1. What You’ll Build
  2. Prepare Your Project: Stack & Structure
  3. Environment Variables and Storing Secrets
  4. Set Up MongoDB and Connect With Mongoose
  5. Sending Emails in Node.js
  6. Load the User’s Profile Picture From Gravatar Using Virtuals in Mongoose
  7. Implement a User Profile Editing Screen
  8. Generate a Username in Mongoose Middleware
  9. Displaying Seasons and Episodes for TV Shows with Mongoose Relationship Population
  10. Implementing Pagination for Movies
  11. Implement a Watchlist
  12. Create a Full Text Search with MongoDB
  1. Create a REST API with JSON Endpoints
  2. Update Mongoose Models for JSON Responses
  3. API Pagination for TV Shows
  4. Customize API Endpoints with Query Parameters
  5. Always Throw and Handle API Validation Errors
  6. Advanced API Validation With Custom Errors
  7. Create an API Documentation with Swagger
  8. Customize Your Swagger API Documentation URL
  9. Describe Endpoint Details in Your Swagger API Documentation
  10. 10 Tips on API Testing With Postman
  11. JWT Authentication in Swagger API Documentation
  12. API Versioning with Request Headers
  1. IP-Based Rate Limits (Part 1 of 7)
  2. Rate Limits for Routes (Part 2 of 7)
  3. Dynamic Rate Limits (Part 3 of 7)
  4. Render a “Rate Limit Exceeded” View (Part 4 of 7)
  5. Show “Rate Limit Exceeded” Error on Login (Part 5 of 7)
  6. Disable Rate Limiting (Part 6 of 7)
  7. Rate Limiter Refactoring & Cleanup (Part 7 of 7)
  1. API Login With Username and Password to Generate a JWT
  2. JWT Authentication and Private API Endpoints
  3. Refresh Tokens With JWT Authentication
  4. Create a JWT Utility
  5. JWT Refresh Token for Multiple Devices
  6. Check Refresh Token in Authentication Strategy
  7. Rate Limit Your Refresh Token API Endpoint
  8. How to Revoke a JWT
  9. Invalidate JWTs With Blacklists
  10. JWT Logout (Part 1/2)
  11. JWT “Immediate” Logout (Part 2/2)
  12. A Better Place to Invalidate Tokens
  13. How to Switch the JWT Signing Algorithm
  14. Roll Your Own Refresh Token Authentication Scheme
  15. JWT Claims 101
  16. Use JWT With Asymmetric Signatures (RS256 & Co.)
  17. Encrypt the JWT Payload (The Simple Way)
  18. Increase JWT Security Beyond the Signature
  19. Unsigned JSON Web Tokens (Unsecured JWS)
  20. JWK and JWKS Overview
  21. Provide a JWKS API Endpoint
  22. Create a JWK from a Shared Secret
  23. JWT Verification via JWKS API Endpoint
  24. What is JOSE in JWT
  25. Encrypt a JWT (the JWE Way)
  26. Authenticate Encrypted JWTs (JWE)
  27. Encrypted and Signed JWT (Nested JWT)
  28. Bringing Back JWT Decoding and Authentication
  29. Bringing Back JWT Claims in the JWT Payload
  1. How to Run Separate Frontend and Backend Servers Within a Single Project
  2. How to Use Server Labels
  3. How to Correctly Stop Your Server and Close Existing Connections
  1. Basic Authentication With Username and Password
  2. Authentication and Remember Me Using Cookies
  3. How to Set a Default Authentication Strategy
  4. Define Multiple Authentication Strategies for a Route
  5. Restrict User Access With Scopes
  6. Show „Insufficient Scope“ View for Routes With Restricted Access
  7. Access Restriction With Dynamic and Advanced Scopes
  8. hapi - How to Fix „unknown authentication strategy“
  9. Authenticate with GitHub And Remember the Login
  10. Authenticate with GitLab And Remember the User
  11. How to Combine Bell With Another Authentication Strategy
  12. Custom OAuth Bell Strategy to Connect With any Server
  13. Redirect to Previous Page After Login
  14. How to Implement a Complete Sign Up Flow With Email and Password
  15. How to Implement a Complete Login Flow
  16. Implement a Password-Reset Flow
  1. Views in hapi 9 (and above)
  2. How to Render and Reply Views
  3. How to Reply and Render Pug Views (Using Pug 2.0)
  4. How to Create a Dynamic Handlebars Layout Template
  5. Create and Use Handlebars Partial Views
  6. Create and Use Custom Handlebars Helpers
  7. Specify a Different Handlebars Layout for a Specific View
  8. How to Create Jade-Like Layout Blocks in Handlebars
  9. Use Vue.js Mustache Tags in Handlebars Templates
  10. How to Use Multiple Handlebars Layouts
  1. Extend Your Server Functionality With Plugins
  2. Create Your Own Custom Plugin
  3. How to Register Plugins for a Selected Server Instance
  4. hapi Plugin for Client Geo Location (by Future Studio 🚀)
  5. Increase Development Speed With Errors in the Browser or as JSON Response
  1. Route Handling and Drive Traffic to Your Server
  2. How to Serve Static Files (Images, JS, CSS, etc.)
  3. How to Use Query Parameters
  4. Optional Path Parameters
  5. Multi-Segment/Wildcard Path Parameters
  6. Ignore Trailing Slashes on Route Paths
  7. How to Fix “Unsupported Media Type”
  1. How to Reply a JSON Response
  2. How to Set Response Status Code
  3. How to Handle 404 Responses for Missing Routes
  1. Query Parameter Validation With Joi
  2. Path Parameter Validation With Joi
  3. Request Payload Validation With Joi
  4. Validate Query and Path Parameters, Payload and Headers All at Once on Your Routes
  5. Validate Request Headers With Joi
  6. Reply Custom View for Failed Validations
  7. Handle Failed Validations and Show Errors Details at Inputs
  8. How to Fix AssertionError, Cannot validate HEAD or GET requests
  1. Add CSRF Protection on Forms and API Endpoints
  1. Report Errors to Sentry
  2. Don’t Report Errors to Sentry in Development Mode
  3. Logging Fundamentals
  4. Log to Console With Good
  5. Log to File With Good
  1. Getting Started With Testing Using Lab and Code
  2. Run Tests with Assertions using Code
  3. Test Route Handlers by Injecting Requests
  4. Inject Request Payload, Headers and Parameters While Testing Route Handlers
  1. Zero-Downtime Deployments Using PM2

Prepare a Cookie

HTTP state management in hapi is done using cookies. Cookie management is a two-step process in hapi. At first, you need to tell your server what state should be stored by providing a name and an object of options. To prepare your server for a cookie, use the server.state(name, options) method that tells the server to create a cookie with name and the related options.

The following example illustrates a very basic cookie configuration where you’re going to save a cookie for one day and encode its data as JSON and afterwards Base64.

hapi v17

const Hapi = require('hapi')

// create new server instance
const server = new Hapi.Server({  
  host: 'localhost',
  port: 3000
})

server.state('session', {  
  ttl: 1000 * 60 * 60 * 24,    // 1 day lifetime
  encoding: 'base64json'       // cookie data is JSON-stringified and Base64 encoded
})

hapi v16

const Hapi = require('hapi')

// create new server instance
const server = new Hapi.Server()

// add server’s connection information
server.connection({  
  host: 'localhost',
  port: 3000
})

server.state('session', {  
  ttl: 1000 * 60 * 60 * 24,    // 1 day lifetime
  encoding: 'base64json'       // cookie data is JSON-stringified and Base64 encoded
})

Notice that you use the state() method on your server object. If you split your application into multiple plugins, you’ve access to your server instance within the plugin itself. Depending on where you want to set your cookie definitions, you can do that individually in your plugins or globally outside the plugins.

There are multiple cookie options that you can use and benefit from. Please refer to the server state options in hapi’s API reference to read the complete list of available settings.

Create a Cookie

Your server is prepared to save a cookie called session and the cookie has a time to live of one day. To save a state and data to your cookie, you leverage the reply interface and call the state() method. Please notice, that the method name is the same for your server preparation and the cookie store functionality. In the end, both methods perform different tasks.

The following code snippet will get ahead on how to read a cookie to get its data. However, the important part is how to set the cookie data. As you can see in the example below, you read the existing cookie value, check if it’s already defined, update the lastVisit property and finally reply the Hello Future Studio message with a saved the state within the session cookie.

hapi v17

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: (request, h) => {
      let cookie = request.state.session

      if (!cookie) {
        cookie = {
          username: 'futurestudio',
          firstVisit: false
        }
      }

      cookie.lastVisit = Date.now()

      return h.response('Hello Future Studio').state('session', cookie)
    }
  }
})

hapi v16

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: function (request, reply) {
      var cookie = request.state.session

      if (!cookie) {
        cookie = {
          username: 'futurestudio',
          firstVisit: false
        }
      }

      cookie.lastVisit = Date.now()

      reply('Hello Future Studio').state('session', cookie)
    }
  }
})

Your session cookie now includes the username, indicates that the next request is not your first one and the time of your last visit. The lastVisit property is a custom field and is not used to evaluate the lifetime of the cookie itself.

Create Multiple Cookies

Up to this point, you’ve created a single cookie. There are situations where you want to create another one or multiple at the same time. The functionality is already available and you can just go ahead and chain the .state(name, data) method on your reply interface.

hapi v17

// prepare another cookie without encoding
// value must be string if no encoding is set
server.state('email', {  
  ttl: 1000 * 60 * 60 * 24 * 7    // 7 days lifetime
})

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: (request, reply) => {
      let email = request.state.email
      let session = request.state.session

      if (!email) {
        email = 'info@futurestud.io'
      }


      if (!session) {
        session = { username: 'futurestudio', firstvisit: false }
      }

      cookie.lastVisit = Date.now()

      return h.response('Hello Future Studio')
        .state('session', session)
        .state('email', email)
    }
  }
})

hapi v16

// prepare another cookie without encoding
// value must be string if no encoding is set
server.state('email', {  
  ttl: 1000 * 60 * 60 * 24 * 7    // 7 days lifetime
})

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: function (request, reply) {
      var email = request.state.email
      if (! email) {
        email = 'info@futurestud.io'
      }

      var session = request.state.session
      if (! session) {
        session = {
          username: 'futurestudio',
          firstvisit: false
        }
      }

      cookie.lastVisit = Date.now()

      reply('Hello Future Studio')
        .state('session', session)
        .state('email', email)
    }
  }
})

The first part of this snippet prepares the cookie via the server.state(name, options) method. Afterwards, you get the current cookie values for session and email, update individual fields if necessary on both objects and ultimately reply the request including both cookies.

Read a Cookie

Within the request.state object, you’ll find all your cookie data and you can access them using their defined name. Remember the server preparation from above? There you set your cookie name which is now used to access the data.

hapi v17

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: (request, h) {
      const cookie = request.state.session

      if (cookie) {
        // use cookie values
      }

      return 'Hello Future Studio'
    }
  }
})

hapi v16

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: function (request, reply) {
      var cookie = request.state.session

      if (cookie) {
        // use cookie values
      }

      reply('Hello Future Studio')
    }
  }
})

If you already stored data for your session cookie, you can use the data to perform further processing.

Update a Cookie Value

To update the cookie data, just go ahead and apply the same method as you would do to create it: reply().state(name, data). Because you never know if the cookie data is still existing due to cookie lifetime restrictions, make sure to check whether your cookie data is accessible after requesting it with request.state.cookieName.

hapi v17

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: (request, h) {
      let updatedCookie = request.state.session

      if (updatedCookie) {
        updatedCookie.lastVisit = Date.now()
      }

      return h.response('Hello Future Studio').state('session', updatedCookie)
    }
  }
})

hapi v16

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: function (request, reply) {
      var updatedCookie = request.state.session

      if (updatedCookie) {
        updatedCookie.lastVisit = Date.now()
      }

      reply('Hello Future Studio').state('session', updatedCookie)
    }
  }
})

The reply().state(name, data) method will override your existing data immediately.

Delete a Cookie

If you manually want to delete the cookie’s data, use the reply().unstate(name) method.

hapi v17

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: (request, reply) => {
      return h.response('Hello Future Studio').unstate('session')
    }
  }
})

hapi v16

server.route({  
  method: 'GET',
  path: '/',
  config: {
    handler: function (request, reply) {
      reply('Hello Future Studio').unstate('session')
    }
  }
})

This will reset your cookie data and you don’t need to wait for the cookie ttl to exceed until the actual data gets deleted.

Outlook

The built-in support for HTTP state management in hapi lets you easily store user-related data and access it across multiple requests. Various cookie options allow you to specify cookie lifetime, encoding, and many more.

Do you have any question or just want to leave a message? Use the comments below or find us on Twitter @futurestud_io

Make it rock & enjoy coding!

Additional Resources

Marcus Pöhls

Marcus is a fullstack JS developer. He’s passionate about the hapi framework for Node.js and loves to build web apps and APIs. Creator of Futureflix and the “learn hapi” learning path.

Explore the Library

Find interesting tutorials and solutions for your problems.

Android

Node.js

Server

Miscellaneous