Difference between req.cookies and req.signedCookies in Express.js

req.cookies: Request. Cookies are supposed to be cookies that come from the client (browser) and Response. Cookies are cookies that will send back to the client (browser). Cookies are small files/data that are sent to the client with a server request and stored on the client side. This helps us to keep track of the user’s actions.

Cookie-parser is a middleware that parses cookies attached to the client request object. When we use cookie-parser middleware then this property is an object that contains cookies sent by the request. If the request contains no cookies, it defaults to { }.



const cookieParser = require('cookie-parser'); 
const express = require('express'); 
const app = express(); 
const PORT = 3000; 
app.get('/user', function (req, res) { 
app.listen(PORT, function(err){ 
    if (err) console.log(err); 
    console.log("Server listening on PORT", PORT); 

Output: Now open your browser and make a GET request to http://localhost:3000/user, now you can see the following output on your console:

Server listening on PORT 3000
[Object: null prototype] { name: 'Gourav', age: 12 }

req.signedCookies: The req.signedCookies property contains signed cookies sent by the request, unsigned, and ready for use when using cookie-parser middleware. Signing a cookie does not make it hidden or encrypted but simply prevents tampering with the cookie. It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.If it does not match, then it gives an error. If no signed cookies are sent then the property defaults to { }.



const cookieParser = require('cookie-parser'); 
const express = require('express'); 
const app = express(); 
const PORT = 3000; 
app.get('/user', function (req, res) { 
    // Setting multiple cookies 
app.listen(PORT, function(err){ 
    if (err) console.log(err); 
    console.log("Server listening on PORT", PORT); 

Output: Now open your browser and make a GET request to http://localhost:3000/user, now you can see the following output on your console:

Server listening on PORT 3000
[Object: null prototype] { title: 'Gourav', age: 12 }

Difference between req.cookies and req.signedCookies – 

                       req.cookies                            req.signedCookies
We cannot identify if the data being returned to the cookie is modified by the client or not.  We use a signed cookie if we want assurance that the data being returned to the cookie has not been modified by the client.
If the request contains no cookies, it defaults to { }. If no signed cookies are sent then this property defaults to { }.
The server cannot detect if the cookies are changed by the client. The server can detect if the cookies are changed by the client.
No case of adding a signature to the cookie. A signature is added as part of the cookie along with the actual cookie data. The signature is derived from the cookie data and from a secret that is known only to the server.