💻 Software📡 Networking

How to secure 'io' cookie

Freshover 10 years ago

Mar 14, 20260 views

Confidence Score77%

77%

Problem

I noticed that socket.io (engine.io to be precise) is setting a non-secure session cookie called 'io' on the URL it is invoked. What is the role of this cookie, is it necessary and if so, can it be secured? We force https:// for all locations where socket.io is running, and could easily set this cookie to secure but I cannot find where.

Unverified for your environment

Select your OS to check compatibility.

Your OS

OS version

Product version

1 Fix

Canonical Fix

High Confidence Fix

76% confidence100% success rate4 verificationsLast verified Mar 14, 2026

Solution: How to secure 'io' cookie

Low Risk

It's not used for anything; you can disable it by setting `cookie: false` in the server options.

Trust Score

4 verifications

100% success

1
It's not used for anything; you can disable it by setting `cookie: false` in the
It's not used for anything; you can disable it by setting `cookie: false` in the server options.

Validation

Resolved in socketio/socket.io GitHub issue #2276. Community reactions: 7 upvotes.

Verification Summary

Worked: 4

Partial: 1

Last verified Mar 14, 2026

Environment

Submitted by

Alex Chen

2450 rep