Set-Cookie with sameSite=none and secure = true - express

I am having a project with frontend and expressjs backend, both are hosted in Vercel.
I am facing a problem with setting cookies,
if I am using
app.use(
cookieSession({
name: "portfolio-cookie-session",
secret: process.env.COOKIE_SECRET, //secret environment variable
httpOnly: true,
expires: getExpire(), //return date
sameSite: "none",
secure: true,
})
);
my frontend couldn't get any set-Cookies header,
browserheader-image
if I remove samesite and secure
app.use(
cookieSession({
name: "portfolio-cookie-session",
secret: process.env.COOKIE_SECRET, //secret environment variable
httpOnly: true,
expires: getExpire(), //return date
// sameSite: "none", <---remove
// secure: true, <---remove
})
);
then browser can show the cookie header however, it will blocked cause samesite problem
browserheader-image
warning-image
Thank you!

Related

Apollo graphql application cookie not set in browser

I am using apollo graphql on backend side and using cookie authentication method. But when I set cookie on backend side cookie was in Set-Cookie header but doesn't showed in Browser->application ->cookies
response.cookie('tokens', token, {
httpOnly: true,
secure: true, //process.env.NODE_ENV === 'production',
sameSite: true,
expires: new Date(Date.now() + 1000 * 60 * 60 * 24),
});
Returned response:
Response image
Nothing here.
Application cookies
Tried many advices but nothing worked for me.
You can set the cookie by
context.setCookies.push({
name: "token",
value: result.token,
options: {
domain:'DOMAIN_NAME',
httpOnly: true,
maxAge: 36000,
secure: 'none',
path: '/',
sameSite:'None'
}
});
Remember to make sure domain name is your Server host name,
no need of protocol in domain, i.e., https
set samesite to none
by this, I was able to set the cookie and it was set in application folder in developers tool
you cannot test this in incognito,
in network tab, in the rest call, in cookie section, you can confirm if all attribute is set correct or not.

How to allow cookie in AWS S3?

I have a working react frontend on localhost during testing, but when I deploy to AWS, the cookie is not working at all. I can see that cookies are not set when inspecting the web page. I am using cookie Session and here is the setting.
app.use(cookieSession({
name: 'session',
secret: 'blablba',
// Cookie Options
sameSite: 'none',
secure : true,
maxAge: 10 * 60 * 1000,
httpOnly: true,
signed: false
}))
The cors setting
app.use(cors({
origin: 'example.com',
//origin: true,
credentials: true
}));
It is strange, and I assume my app can work when deploy to ec2 instead of s3. But I have to deploy to S3 because I am trying to do ci/cd here.
Thanks!

Express session not saving/persisting over https using azure app services

I've looked through quite a few issues on this and have tried every combination of "solutions" for my problem but can't seem to figure this one out.
I currently have a client side react application being hosted on azure. Let's call this https://clientside.net for short.
I also have a server side node js application being hosted on azure we'll call this https://serverside.net.
I can't seem to to get the session variables to save upon authenticating users. This works perfectly fine on localhost btw.
e.g. On the client side we are making requests using axios like so:
const headers = {
withCredentials: true,
headers: { auth: process.env.REACT_APP_SECRET },
};
axios.get(`${process.env.REACT_APP_SERVER}/get/auth`, headers).then((response) => console.log("blah blah blah"));
On the server side this is how express session is setup...
app.use(
cors({
origin: ["https://clientside.net"],
methods: ["GET", "POST"],
credentials: true,
})
);
app.set("trust proxy", 1);
app.use(
session({
name: "sid",
saveUninitialized: false,
resave: false,
secret: "shhh",
cookie: {
domain: ".clientside.net",
maxAge: 1000 * 60 * 60 * 8,
secure: true,
httpOnly: false,
},
})
);
Within our authentication route on server side we are saving session like so ...
req.session.username = req.body.username;
req.session.password = req.body.password;
req.session.save(() =>
res
.status(202)
.json({
authenticated: true, username: req.session.username})
);
Upon refreshing or attempting to hit any other routes, the req.session.username & req.session.password are nowhere to be found. Is there something wrong with my session config? Or am I perhaps missing something? I appreciate any and all help on this! Thanks y'all
I've figure out the issue.
Deploying an application using azure app services, means you will be using a reverse proxy.
In my case nodeiis web service proxy.
The client side makes requests to the iis service which then routes the request to the node server.
I made many changes but the one that got me up and running was switching the cors origin and session domain to be the server side domain/ip like so...
app.use(
cors({
origin: ["https://serverside.net"],
methods: ["GET", "POST"],
credentials: true,
})
);
app.set("trust proxy", 1);
app.use(
session({
name: "sid",
saveUninitialized: false,
resave: false,
secret: "shhh",
cookie: {
domain: ".serverside.net",
maxAge: 1000 * 60 * 60 * 8,
secure: true,
httpOnly: false,
},
})
);
Now session variables are able to be successfully saved upon login.

Why wouldn't express-session work when cookie is set to secure?

Why does this work:
router.use(session({
name: process.env.SESSION_COOKIE,
genid: () => uuidv4(),
cookie: {
httpOnly: true,
},
secret: process.env.SESSION_SECRET,
store: new RedisStore({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
ttl: 1 * 24 * 60 * 60, // In seconds
}),
saveUninitialized: false,
resave: false,
}));
But this doesn't?
router.use(session({
name: process.env.SESSION_COOKIE,
genid: () => uuidv4(),
cookie: {
httpOnly: true,
secure: true,
},
secret: process.env.SESSION_SECRET,
store: new RedisStore({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
ttl: 1 * 24 * 60 * 60, // In seconds
}),
saveUninitialized: false,
resave: false,
}));
Setting secure to true results in the session cookie not being set at all. FWIW, I'm using PassportJS for authentication.
NOTE: This question might look similar to this one but the top-voted answer there doesn't quite address the issue. It says httpOnly is causing the problem but I don't understand why it would? The cookie isn't being set on the client, right?
The file in question is up at https://github.com/amitschandillia/proost/blob/master/web/routes/auth-routes.js.
NOTE 2: The server is SSL-enabled and the URL is https://www.schandillia.com.
The secure option for a cookie means that the cookie is ONLY sent by the browser over an https connection and, in some browsers, the cookie marked as "secure" won't even be saved by the browser for future requests if it arrives over an insecure connection.
Your server appears to be an http server so the cookie will not be sent back to your server on subsequent requests making the cookie disappear.

Cookie not set with express-session in production

My app is divided between Client and Server. Client is a frontend side Nextjs app hosted on Now.sh, Server is its backend created with Express and hosted on Heroku, so the domains are client-app.now.sh and server-app.herokuapp.com .
Authentication
Authentication system is based on cookies and I'm using express-session to achieve it. This is my express-session configuration
app.use(
session({
store:
process.env.NODE_ENV === "production"
? new RedisStore({
url: process.env.REDIS_URL
})
: new RedisStore({
host: "localhost",
port: 6379,
client
}),
name: "sessionID",
resave: false,
saveUninitialized: false,
secret: keys.SESSION,
unset: "destroy",
cookie: {
domain:
process.env.NODE_ENV === "production"
? ".client-app.now.sh"
: "localhost",
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 7 * 24 * 60 * 60 * 1000
}
})
);
Cors is set with the "cors" package:
app.use(
cors({
origin:
process.env.NODE_ENV === "production"
? process.env.CLIENT_URL
: "http://localhost:3000",
credentials: true
})
);
Client is configured with Apollo and "credentials" in HttpLink is set to "include".
The problem is that cookie with session ID is correctly set in development, but not in production. Could this be related to the fact that I'm hosting client and server on different domains?
I had my production node server behind a reverse proxy. This causes node to not trust the proxy and thus not set cookies.
I had to enable trusting the first proxy when in production.
app.set('trust proxy', 1) // trust first proxy
More info check out express-session's docs on the topic.
After a lot of time trying to solve this, I just found the solution:
So I had,
app.use(session({
secret: secret,
saveUninitialized: false,
resave: false,
cookie: {
domain: clientDomain,
secure: true
}
}));
I removed all the cookie object and this solved my issue:
app.use(session({
secret: secret,
saveUninitialized: false,
resave: false
}));
Browsers seems don't need help to get the cookies.