Express: Set-Cookie with Partitioned Attribute (CHIPS)
Updated April 2026
Audit your cookies automatically.
Cookie Partitioning Auditor →
Express's res.cookie() now supports the partitioned option in recent versions. For older versions, set the header directly.
Method 1 — res.cookie() with partitioned option
// Express 4.19+ supports partitioned option
res.cookie('session', value, {
sameSite: 'none',
secure: true,
partitioned: true, // CHIPS — required for Chrome 118+ third-party context
httpOnly: true,
path: '/',
maxAge: 86400000, // 24 hours in ms
});
Method 2 — Raw header (works on all Express versions)
res.setHeader('Set-Cookie',
'session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/; Max-Age=86400'
);
// Multiple cookies — use array:
res.setHeader('Set-Cookie', [
'session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/',
'pref=dark; SameSite=Lax; Secure; HttpOnly; Path=/',
]);
Method 3 — cookie-parser / custom middleware
// If using cookie-parser, set cookies via res.cookie()
// For Partitioned, append to the existing Set-Cookie value:
app.use((req, res, next) => {
const originalSetHeader = res.setHeader.bind(res);
res.setHeader = (name, value) => {
if (name.toLowerCase() === 'set-cookie') {
// Append Partitioned to SameSite=None cookies
const cookies = Array.isArray(value) ? value : [value];
value = cookies.map(c =>
c.includes('SameSite=None') && !c.includes('Partitioned')
? c + '; Partitioned'
: c
);
}
return originalSetHeader(name, value);
};
next();
});
Middleware order — CORS and cookies
// If using cors package, credentials must be true for cookies to work cross-site
app.use(cors({
origin: 'https://embedding-site.com',
credentials: true, // required for cookies in cross-site requests
}));
// Cookie must also have SameSite=None; Secure; Partitioned
res.cookie('session', value, {
sameSite: 'none',
secure: true,
partitioned: true,
});
Audit your cookies → Cookie Partitioning Auditor