From fd82d1333b663340de72a6915f6e44dbf785b736 Mon Sep 17 00:00:00 2001
From: Lincon Dias <lincond@protonmail.com>
Date: Tue, 25 Feb 2025 14:13:10 -0300
Subject: [PATCH 1/3] feat: add support to dynamic cookie generation

---
 index.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/index.js b/index.js
index d41b2378..3f24ca3a 100644
--- a/index.js
+++ b/index.js
@@ -70,7 +70,7 @@ var defer = typeof setImmediate === 'function'
  * Setup session store with the given `options`.
  *
  * @param {Object} [options]
- * @param {Object} [options.cookie] Options for cookie
+ * @param {Object|Function} [options.cookie] Options for cookie
  * @param {Function} [options.genid]
  * @param {String} [options.name=connect.sid] Session ID cookie name
  * @param {Boolean} [options.proxy]
@@ -158,7 +158,7 @@ function session(options) {
   store.generate = function(req){
     req.sessionID = generateId(req);
     req.session = new Session(req);
-    req.session.cookie = new Cookie(cookieOptions);
+    req.session.cookie = new Cookie(typeof cookieOptions === 'function' ? cookieOptions(req) : cookieOptions);
 
     if (cookieOptions.secure === 'auto') {
       req.session.cookie.secure = issecure(req, trustProxy);
@@ -193,7 +193,8 @@ function session(options) {
 
     // pathname mismatch
     var originalPath = parseUrl.original(req).pathname || '/'
-    if (originalPath.indexOf(cookieOptions.path || '/') !== 0) {
+    var resolvedCookieOptions = typeof cookieOptions === 'function' ? cookieOptions(req) : cookieOptions
+    if (originalPath.indexOf(resolvedCookieOptions.path || '/') !== 0) {
       debug('pathname mismatch')
       next()
       return

From 518620ed0770588ee4c8b79650a8b9b985dbba6d Mon Sep 17 00:00:00 2001
From: Lincon Dias <lincond@protonmail.com>
Date: Wed, 26 Feb 2025 17:19:38 -0300
Subject: [PATCH 2/3] test: add tests when cookie option is a function

---
 test/session.js | 53 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/test/session.js b/test/session.js
index 7bf3e51f..1042b0eb 100644
--- a/test/session.js
+++ b/test/session.js
@@ -801,6 +801,59 @@ describe('session()', function(){
         })
       })
     })
+
+    describe('when "cookie" is a function', function () {
+      it('should call custom function and apply cookie options', function (done) {
+        var cookieCallbackCalled = false;
+        var cookieCallback = function () {
+          cookieCallbackCalled = true;
+          return { path: '/test', httpOnly: true, secure: false };
+        };
+        var server = createServer({ cookie: cookieCallback });
+        request(server)
+          .get('/test')
+          .expect(
+            shouldSetCookieWithAttributeAndValue('connect.sid', 'Path', '/test')
+          )
+          .expect(shouldSetCookieWithAttribute('connect.sid', 'HttpOnly'))
+          .expect(shouldSetCookieWithoutAttribute('connect.sid', 'Secure'))
+          .expect(200, function (err) {
+            if (err) return done(err);
+            assert.strictEqual(
+              cookieCallbackCalled,
+              true,
+              'should have called cookie callback'
+            );
+            done();
+          });
+      });
+
+      it('should provide req argument', function (done) {
+        var _path = '/test';
+        var cookieCallbackCalled = false;
+        var cookieCallback = function (req) {
+          cookieCallbackCalled = true;
+          return { path: req.url, httpOnly: true, secure: false };
+        };
+        var server = createServer({ cookie: cookieCallback });
+        request(server)
+          .get(_path)
+          .expect(
+            shouldSetCookieWithAttributeAndValue('connect.sid', 'Path', _path)
+          )
+          .expect(shouldSetCookieWithAttribute('connect.sid', 'HttpOnly'))
+          .expect(shouldSetCookieWithoutAttribute('connect.sid', 'Secure'))
+          .expect(200, function (err) {
+            if (err) return done(err);
+            assert.strictEqual(
+              cookieCallbackCalled,
+              true,
+              'should have called cookie callback'
+            );
+            done();
+          });
+      });
+    });
   })
 
   describe('genid option', function(){

From a50aa1f785907ccf54236f3865235ac5062cc4a3 Mon Sep 17 00:00:00 2001
From: Lincon Dias <lincond@protonmail.com>
Date: Mon, 17 Mar 2025 09:51:53 -0300
Subject: [PATCH 3/3] docs: add cookie callback example

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index 65a37e63..d58d5f1a 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,26 @@ For a list of stores, see [compatible session stores](#compatible-session-stores
 Settings object for the session ID cookie. The default value is
 `{ path: '/', httpOnly: true, secure: false, maxAge: null }`.
 
+In addition to providing a static object, you can also pass a callback function to dynamically generate the cookie options for each request. The callback receives the `req` object as its argument and should return an object containing the cookie settings.
+
+```js
+var app = express()
+app.use(session({
+  secret: 'keyboard cat',
+  resave: false,
+  saveUninitialized: true,
+  cookie: function(req) {
+    var match = req.url.match(/^\/([^/]+)/);
+    return {
+      path: match ? '/' + match[1] : '/',
+      httpOnly: true,
+      secure: req.secure || false,
+      maxAge: 60000
+    }
+  }
+}))
+```
+
 The following are options that can be set in this object.
 
 ##### cookie.domain