Skip to main content
Version: 6.1.X

init

Session.init({    cookieSecure?: boolean,    cookieSameSite?: "strict" | "lax" | "none",    sessionExpiredStatusCode?: number,    cookieDomain?: string,    errorHandlers?: ErrorHandlers,    antiCsrf?: "NONE" | "VIA_CUSTOM_HEADER" | "VIA_TOKEN",    override?: {      functions?: function,      apis?: function    }})

Parameters#

cookieSecure (Optional)#

  • Sets if the cookies are secure or not.
  • Default: If the apiDomain is https, this is true.

cookieSameSite (Optional)#

  • Sets the sameSite attribute for cookies issued by SuperTokens
  • Default: If the apiDomain and the websiteDomain share the same top level domain, then this is lax, else it's none.

sessionExpiredStatusCode (Optional)#

  • The HTTP status code your backend APIs send on session expiry
  • Default: 401

cookieDomain (Optional)#

  • The domain from which the cookies will be created
  • Default: The value of apiDomain

errorHandlers (Optional)#

  • You can override the default SuperTokens error handler and define your own custom error handlers for unauthorised or token theft detection
  • Default:
    • On unauthorised: Clear cookies and send a 401 status code to the frontend.
    • On token theft detection: Revoke the session, clear the cookies and send a 401 to the frontend.

antiCsrf (Optional)#

  • See this page
  • Default: If sameSite is none, this is VIA_TOKEN, else it's VIA_CUSTOM_HEADER.

override (Optional)#

  • Use this feature to override how this recipe behaves.
  • Default: undefined