diff --git a/index.js b/index.js
index 85a0330c..763bd4a7 100644
--- a/index.js
+++ b/index.js
@@ -546,7 +546,7 @@ function getcookie(req, name, secrets) {
     raw = cookies[name];
 
     if (raw) {
-      if (raw.substr(0, 2) === 's:') {
+      if (raw.slice(0, 2) === 's:') {
         val = unsigncookie(raw.slice(2), secrets);
 
         if (val === false) {
@@ -573,7 +573,7 @@ function getcookie(req, name, secrets) {
     raw = req.cookies[name];
 
     if (raw) {
-      if (raw.substr(0, 2) === 's:') {
+      if (raw.slice(0, 2) === 's:') {
         val = unsigncookie(raw.slice(2), secrets);
 
         if (val) {
@@ -648,7 +648,7 @@ function issecure(req, trustProxy) {
   var header = req.headers['x-forwarded-proto'] || '';
   var index = header.indexOf(',');
   var proto = index !== -1
-    ? header.substr(0, index).toLowerCase().trim()
+    ? header.slice(0, index).toLowerCase().trim()
     : header.toLowerCase().trim()
 
   return proto === 'https';
diff --git a/test/session.js b/test/session.js
index a7d79b70..94d81b6a 100644
--- a/test/session.js
+++ b/test/session.js
@@ -1019,7 +1019,7 @@ describe('session()', function(){
         var store = new session.MemoryStore()
         var server = createServer({ resave: false, store: store }, function (req, res) {
           if (req.method === 'PUT') {
-            req.session.token = req.url.substr(1)
+            req.session.token = req.url.slice(1)
           }
           res.end('token=' + (req.session.token || ''))
         })