Skip to main content
Version: 7.2.X

init

Session.init({
cookieSecure?: boolean,
cookieSameSite?: "strict" | "lax" | "none",
sessionExpiredStatusCode?: number,
cookieDomain?: string,
errorHandlers?: ErrorHandlers,
antiCsrf?: "NONE" | "VIA_CUSTOM_HEADER" | "VIA_TOKEN",
override?: {
functions?: function,
apis?: function
}
})

Parameters#

cookieSecure (Optional)#

  • Sets if the cookies are secure or not.
  • Default: If the apiDomain is https, this is true.

cookieSameSite (Optional)#

  • Sets the sameSite attribute for cookies issued by SuperTokens
  • Default: If the apiDomain and the websiteDomain share the same top level domain, then this is lax, else it's none.

sessionExpiredStatusCode (Optional)#

  • The HTTP status code your backend APIs send on session expiry
  • Default: 401

cookieDomain (Optional)#

  • The domain from which the cookies will be created
  • Default: The value of apiDomain

errorHandlers (Optional)#

  • You can override the default SuperTokens error handler and define your own custom error handlers for unauthorised or token theft detection
  • Default:
    • On unauthorised: Clear cookies and send a 401 status code to the frontend.
    • On token theft detection: Revoke the session, clear the cookies and send a 401 to the frontend.

antiCsrf (Optional)#

  • See this page
  • Default: If sameSite is none, this is VIA_TOKEN, else it's VIA_CUSTOM_HEADER.

override (Optional)#

  • Use this feature to override how this recipe behaves.
  • Default: undefined