Cookie syncing
Cookie syncing keeps document.cookie and the server-side socket.cookies map aligned without any manual fetch logic. The flow is automatic once the client bundle is loaded.
How it works
- Handshake – every WebSocket upgrade issues an
HttpOnlyzilaSessioncookie. The server stores the same token against theZilaClientinstance. - Sync trigger – when you change
socket.cookieson the server (or the browser mutatesdocument.cookie), the client runtime callsGET /zilaws/cookieSync. - Merge – the server reconciles values for the shared session and responds with any missing cookies so the browser stays in sync.
ℹ️ The
zilaSessioncookie is managed by ZilaWS. Attempts to change or delete it on the server are ignored.
Server-side usage
Use the exposed map on each ZilaClient to read and write cookies:
server.setMessageHandler("Login", async (client, token: string) => {
client.cookies.set("authToken", token); // Browser receives Set-Cookie automatically
});
server.setMessageHandler("Logout", (client) => {
client.cookies.delete("authToken");
});
- Prefer server-side writes so that authentication and session state remain authoritative.
- The map only exposes
get,set,delete,has, and iterators. Other mutations are intentionally blocked.
Recommended configuration
-
Restrict
cookieSyncAllowedOriginswhen hosting the sync endpoint on a shared domain:const server = new ZilaServer({
port: 6589,
cookieSyncAllowedOrigins: ["https://app.example.com"],
}); -
Enable HTTPS so the issued cookies gain the
Secureattribute. -
Keep browser logic simple: just load the latest ZilaWS client bundle—no custom polling required.
With these basics in place, you get a single source of truth for cookies, reliable session tracking, and automatic propagation of any values you set on the server.