Skip to main content

The setHeaders function can't be used with the Set-Cookie header. Instead, you should use the cookies API.

In your load functions, you can read a cookie with cookies.get(name, options):

src/routes/+page.server.js
export function load({ cookies }) {
	const visited = cookies.get('visited');

	return {
		visited: visited === 'true'
	};
}

To set a cookie, use cookies.set(name, value, options). It's strongly recommended that you explicitly configure the path when setting a cookie, since browsers' default behaviour — somewhat uselessly — is to set the cookie on the parent of the current path.

src/routes/+page.server.js
export function load({ cookies }) {
	const visited = cookies.get('visited');

	cookies.set('visited', 'true', { path: '/' });

	return {
		visited: visited === 'true'
	};
}

Now, if you reload the iframe, Hello stranger! becomes Hello friend!.

Calling cookies.set(name, ...) causes a Set-Cookie header to be written, but it also updates the internal map of cookies, meaning any subsequent calls to cookies.get(name) during the same request will return the updated value. Under the hood, the cookies API uses the popular cookie package — the options passed to cookies.get and cookies.set correspond to the parse and serialize options from the cookie documentation. SvelteKit sets the following defaults to make your cookies more secure:

{
	httpOnly: true,
	secure: true,
	sameSite: 'lax'
}

Next: Shared modules

1
2
3
4
5
<script>
	export let data;
</script>
 
<h1>Hello {data.visited ? 'friend' : 'stranger'}!</h1>
initialising