I have a working react frontend on localhost during testing, but when I deploy to AWS, the cookie is not working at all. I can see that cookies are not set when inspecting the web page. I am using cookie Session and here is the setting.
app.use(cookieSession({
name: 'session',
secret: 'blablba',
// Cookie Options
sameSite: 'none',
secure : true,
maxAge: 10 * 60 * 1000,
httpOnly: true,
signed: false
}))
The cors setting
app.use(cors({
origin: 'example.com',
//origin: true,
credentials: true
}));
It is strange, and I assume my app can work when deploy to ec2 instead of s3. But I have to deploy to S3 because I am trying to do ci/cd here.
Thanks!
Related
I'm trying to perform a request to a backend service using Axios inside getServerSideProps, but it is failing because the session cookie that is needed for authentication is not included in context.req headers.
The application has its client on a subdomain (e.g. app.domain.com) and the backend service, which is based on Node/Express.js, is on another subdomain (e.g. api.domain.com). The cookie is being sent during authentication and seems to be correctly stored in the browser, but interestingly, it is not stored within the client subdomain, but as part of the backend subdomain (api.domain.com).
I'm using cookie-session for handling the response from Express with the following config flags:
app.use(
cookieSession({
signed: false,
secure: true,
httpOnly: true,
sameSite: "strict"
})
);
I've played with the cookie-session middleware config flags, setting sameSite to "none" and httpOnly to false, with no success. I've also checked the contents of the "context" object in getServerSideProps, just to confirm that the cookie is not being sent to the server.
Assuming you have correctly configured a middleware in your backend to send/accept credentials and accept CORS requests (e.g. https://expressjs.com/en/resources/middleware/cors.html), you can try to add the "domain" flag to cookieSession options.
app.use(
cookieSession({
signed: false,
domain: "your-domain.com",
secure: true,
httpOnly: true,
sameSite: "strict"
})
);
This way, the cookie will be stored in the "domain scope" and not restricted to your backend subdomain.
I am using apollo graphql on backend side and using cookie authentication method. But when I set cookie on backend side cookie was in Set-Cookie header but doesn't showed in Browser->application ->cookies
response.cookie('tokens', token, {
httpOnly: true,
secure: true, //process.env.NODE_ENV === 'production',
sameSite: true,
expires: new Date(Date.now() + 1000 * 60 * 60 * 24),
});
Returned response:
Response image
Nothing here.
Application cookies
Tried many advices but nothing worked for me.
You can set the cookie by
context.setCookies.push({
name: "token",
value: result.token,
options: {
domain:'DOMAIN_NAME',
httpOnly: true,
maxAge: 36000,
secure: 'none',
path: '/',
sameSite:'None'
}
});
Remember to make sure domain name is your Server host name,
no need of protocol in domain, i.e., https
set samesite to none
by this, I was able to set the cookie and it was set in application folder in developers tool
you cannot test this in incognito,
in network tab, in the rest call, in cookie section, you can confirm if all attribute is set correct or not.
I know this question is redundant, but I have been searching and reading articles all around for hours now. I am using express-session to control user sessions for the express server. It works when I try to console req.session.user from a postman request. When I try to fire the same request from the browser, it returns undefined. Everyone is talking about Chrome security updates and third-party cookies restrictions. I've tried to stick to chrome guidelines on cookie options but didn't help. If I deployed my client or server to a secure domain would it help?
Here are my options
app.use(cors())
app.set('trust proxy', 1) // trust first proxy
app.use(session({
store: new (require('connect-pg-simple')(session))({pool}),
secret: process.env.SESSION_SECRET,
resave: true,
rolling: true,
cookie: {
maxAge: 30 * 60 * 1000, // 30 minutes
secure: false,
sameSite: 'none'
},
saveUninitialized: false,
}));
I've looked through quite a few issues on this and have tried every combination of "solutions" for my problem but can't seem to figure this one out.
I currently have a client side react application being hosted on azure. Let's call this https://clientside.net for short.
I also have a server side node js application being hosted on azure we'll call this https://serverside.net.
I can't seem to to get the session variables to save upon authenticating users. This works perfectly fine on localhost btw.
e.g. On the client side we are making requests using axios like so:
const headers = {
withCredentials: true,
headers: { auth: process.env.REACT_APP_SECRET },
};
axios.get(`${process.env.REACT_APP_SERVER}/get/auth`, headers).then((response) => console.log("blah blah blah"));
On the server side this is how express session is setup...
app.use(
cors({
origin: ["https://clientside.net"],
methods: ["GET", "POST"],
credentials: true,
})
);
app.set("trust proxy", 1);
app.use(
session({
name: "sid",
saveUninitialized: false,
resave: false,
secret: "shhh",
cookie: {
domain: ".clientside.net",
maxAge: 1000 * 60 * 60 * 8,
secure: true,
httpOnly: false,
},
})
);
Within our authentication route on server side we are saving session like so ...
req.session.username = req.body.username;
req.session.password = req.body.password;
req.session.save(() =>
res
.status(202)
.json({
authenticated: true, username: req.session.username})
);
Upon refreshing or attempting to hit any other routes, the req.session.username & req.session.password are nowhere to be found. Is there something wrong with my session config? Or am I perhaps missing something? I appreciate any and all help on this! Thanks y'all
I've figure out the issue.
Deploying an application using azure app services, means you will be using a reverse proxy.
In my case nodeiis web service proxy.
The client side makes requests to the iis service which then routes the request to the node server.
I made many changes but the one that got me up and running was switching the cors origin and session domain to be the server side domain/ip like so...
app.use(
cors({
origin: ["https://serverside.net"],
methods: ["GET", "POST"],
credentials: true,
})
);
app.set("trust proxy", 1);
app.use(
session({
name: "sid",
saveUninitialized: false,
resave: false,
secret: "shhh",
cookie: {
domain: ".serverside.net",
maxAge: 1000 * 60 * 60 * 8,
secure: true,
httpOnly: false,
},
})
);
Now session variables are able to be successfully saved upon login.
My app is divided between Client and Server. Client is a frontend side Nextjs app hosted on Now.sh, Server is its backend created with Express and hosted on Heroku, so the domains are client-app.now.sh and server-app.herokuapp.com .
Authentication
Authentication system is based on cookies and I'm using express-session to achieve it. This is my express-session configuration
app.use(
session({
store:
process.env.NODE_ENV === "production"
? new RedisStore({
url: process.env.REDIS_URL
})
: new RedisStore({
host: "localhost",
port: 6379,
client
}),
name: "sessionID",
resave: false,
saveUninitialized: false,
secret: keys.SESSION,
unset: "destroy",
cookie: {
domain:
process.env.NODE_ENV === "production"
? ".client-app.now.sh"
: "localhost",
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 7 * 24 * 60 * 60 * 1000
}
})
);
Cors is set with the "cors" package:
app.use(
cors({
origin:
process.env.NODE_ENV === "production"
? process.env.CLIENT_URL
: "http://localhost:3000",
credentials: true
})
);
Client is configured with Apollo and "credentials" in HttpLink is set to "include".
The problem is that cookie with session ID is correctly set in development, but not in production. Could this be related to the fact that I'm hosting client and server on different domains?
I had my production node server behind a reverse proxy. This causes node to not trust the proxy and thus not set cookies.
I had to enable trusting the first proxy when in production.
app.set('trust proxy', 1) // trust first proxy
More info check out express-session's docs on the topic.
After a lot of time trying to solve this, I just found the solution:
So I had,
app.use(session({
secret: secret,
saveUninitialized: false,
resave: false,
cookie: {
domain: clientDomain,
secure: true
}
}));
I removed all the cookie object and this solved my issue:
app.use(session({
secret: secret,
saveUninitialized: false,
resave: false
}));
Browsers seems don't need help to get the cookies.