Validate session cookies

This guide is also available for:

CSRF protection must be implemented when using cookies and forms. This can be easily done by comparing the Origin and Host header.

For non-GET requests, check the request origin. You can use readSessionCookie() to get the session cookie from a HTTP Cookie header, and validate it with Lucia.validateSession(). Make sure to delete the session cookie if it's invalid and create a new session cookie when the expiration gets extended, which is indicated by Session.fresh.

import { verifyRequestOrigin } from "lucia";

// Only required in non-GET requests (POST, PUT, DELETE, PATCH, etc)
const originHeader = request.headers.get("Origin");
// NOTE: You may need to use `X-Forwarded-Host` instead
const hostHeader = request.headers.get("Host");
if (!originHeader || !hostHeader || !verifyRequestOrigin(originHeader, [hostHeader])) {
	return new Response(null, {
		status: 403

const cookieHeader = request.headers.get("Cookie");
const sessionId = lucia.readSessionCookie(cookieHeader ?? "");
if (!sessionId) {
	return new Response(null, {
		status: 401

const headers = new Headers();

const { session, user } = await lucia.validateSession(sessionId);
if (!session) {
	const sessionCookie = lucia.createBlankSessionCookie();
	headers.append("Set-Cookie", sessionCookie.serialize());

if (session && session.fresh) {
	const sessionCookie = lucia.createSessionCookie(;
	headers.append("Set-Cookie", sessionCookie.serialize());

If your framework provides utilities for cookies, you can get the session cookie name with Lucia.sessionCookieName.

const sessionId = getCookie(lucia.sessionCookieName);

When setting cookies you can get the cookies name, value, and attributes from the Cookie object.

const sessionCookie = lucia.createSessionCookie(sessionId);
setCookie(, sessionCookie.value, sessionCookie.attributes);