Safeguard
Open Source

React Native Cookies: Managing and Securing Session Cookies

A guide to react-native-cookies for reading and writing HTTP cookies in React Native apps, the platform gotchas, and how to keep session cookies secure.

Aisha Rahman
Security Analyst
5 min read

React Native cookies management is usually handled by the @react-native-cookies/cookies package, which lets your app read, set, and clear native HTTP cookies on iOS and Android — but the library is now deprecated, so new projects should reach for a maintained successor. If your app talks to a session-cookie-based backend, or you need to share auth state between a WebView and your native networking, you'll hit the limits of React Native's built-in fetch cookie handling fast. That's the gap react native cookies libraries fill. This guide covers what the package does, the platform quirks that trip people up, and the security practices that matter when you're storing session tokens on a device.

What the library does

@react-native-cookies/cookies (the community-maintained successor to the older react-native-cookies) exposes the native cookie store to JavaScript. Its core API:

import CookieManager from '@react-native-cookies/cookies';

// set a cookie for an origin
await CookieManager.set('https://api.example.com', {
  name: 'session',
  value: 'abc123',
  domain: 'api.example.com',
  path: '/',
  secure: true,
  httpOnly: true,
});

// read cookies as a header string
const cookies = await CookieManager.get('https://api.example.com');

// clear everything
await CookieManager.clearAll();

Additional methods include getAll() and clearByName(), though note that getAll() and clearByName() are iOS-only. The package supports iOS and Android; it does not support Windows, macOS, or web, and Expo maintains its own cookie handling.

The WebKit gotcha that costs an afternoon

The single most common source of confusion: on iOS with WebView, cookies live in a separate WebKit store (WKHTTPCookieStore) that is not automatically shared with your native HTTP requests. Set a cookie through the standard API and your WebView may not see it, or vice versa. The library provides WebKit-specific methods to target that store. There's also a timing trap — attempting to set a cookie too early in the app lifecycle can return a false positive, reporting success while nothing was actually written. If a cookie "sets" but never appears, suspect timing first.

Security practices for session cookies on a device

A cookie holding a session token is a credential, and a mobile device is a hostile-enough environment that you should treat it like one.

  1. Always set secure and httpOnly. secure keeps the cookie off plaintext HTTP; httpOnly keeps it out of reach of any JavaScript running in a WebView, which blunts XSS-based theft. Set these when your server issues the cookie, and mirror them if you set cookies client-side.
  2. Prefer short-lived sessions with refresh. A stolen long-lived cookie is a long-lived compromise. Short expiry plus a refresh flow limits the blast radius.
  3. Clear cookies on logout — really clear them. Call clearAll() (and the WebKit clear on iOS) so a shared or lost device doesn't leave a live session behind. Verify on both platforms; the iOS WebKit store is easy to forget.
  4. Don't hand-roll storage of the raw token. If you must persist auth beyond the cookie store, use the platform keychain/keystore rather than AsyncStorage, which is unencrypted.
  5. Pin the version and scan the package. This is a native module with a footprint in both your JS and native builds. An SCA tool will flag known advisories in it or its dependencies, which matters more than usual given the package's deprecation.

The deprecation, and what to use instead

@react-native-cookies/cookies has been deprecated. The maintainers point users toward modern replacements built for React Native's New Architecture, such as @preeternal/react-native-cookie-manager (a TypeScript, TurboModules-based drop-in replacement) and react-native-nitro-cookies. For an existing app the migration isn't urgent, but a deprecated native module will eventually lag behind React Native releases and stop building cleanly against new versions — the same slow-decay problem any abandoned dependency has. Plan the swap before it becomes the thing blocking a React Native upgrade.

An SCA scanner such as Safeguard can watch the dependency for new advisories in the meantime, so you're migrating on your schedule rather than reacting to a disclosure. The Academy has more on assessing whether a library is safe to adopt before you commit to it.

Putting it together

React native cookies handling is one of those areas that seems trivial until session state won't sync between your WebView and native calls, or a logout leaves a cookie behind on iOS. Use the maintained successor package, always set secure and httpOnly on session cookies, clear both the standard and WebKit stores on logout, and keep the native module patched. The security of your users' sessions depends more on those habits than on which specific cookie library you chose.

FAQ

Is @react-native-cookies/cookies still maintained?

No. The package is deprecated. The maintainers recommend modern alternatives built for the New Architecture, such as @preeternal/react-native-cookie-manager and react-native-nitro-cookies. Existing apps can keep using it short-term but should plan a migration.

Why don't my cookies sync between WebView and native requests on iOS?

On iOS, WebView cookies are stored in the separate WebKit store (WKHTTPCookieStore), which isn't automatically shared with native HTTP requests. Use the library's WebKit-specific methods to target that store, and watch for the timing trap where setting a cookie too early reports a false success.

How do I secure session cookies in React Native?

Set the secure and httpOnly flags so cookies stay off plaintext HTTP and out of JavaScript's reach, use short-lived sessions with a refresh flow, clear both the standard and WebKit cookie stores on logout, and store any persisted tokens in the platform keychain rather than unencrypted AsyncStorage.

Does the library work with Expo or on the web?

It supports iOS and Android only — not Windows, macOS, or web. Expo maintains its own cookie handling, so if you're on Expo, follow its guidance rather than adding this native module.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.