Why does this work:
router.use(session({
name: process.env.SESSION_COOKIE,
genid: () => uuidv4(),
cookie: {
httpOnly: true,
},
secret: process.env.SESSION_SECRET,
store: new RedisStore({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
ttl: 1 * 24 * 60 * 60, // In seconds
}),
saveUninitialized: false,
resave: false,
}));
But this doesn't?
router.use(session({
name: process.env.SESSION_COOKIE,
genid: () => uuidv4(),
cookie: {
httpOnly: true,
secure: true,
},
secret: process.env.SESSION_SECRET,
store: new RedisStore({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
ttl: 1 * 24 * 60 * 60, // In seconds
}),
saveUninitialized: false,
resave: false,
}));
Setting secure to true results in the session cookie not being set at all. FWIW, I'm using PassportJS for authentication.
NOTE: This question might look similar to this one but the top-voted answer there doesn't quite address the issue. It says httpOnly is causing the problem but I don't understand why it would? The cookie isn't being set on the client, right?
The file in question is up at https://github.com/amitschandillia/proost/blob/master/web/routes/auth-routes.js.
NOTE 2: The server is SSL-enabled and the URL is https://www.schandillia.com.
The secure option for a cookie means that the cookie is ONLY sent by the browser over an https connection and, in some browsers, the cookie marked as "secure" won't even be saved by the browser for future requests if it arrives over an insecure connection.
Your server appears to be an http server so the cookie will not be sent back to your server on subsequent requests making the cookie disappear.
Related
I am having a project with frontend and expressjs backend, both are hosted in Vercel.
I am facing a problem with setting cookies,
if I am using
app.use(
cookieSession({
name: "portfolio-cookie-session",
secret: process.env.COOKIE_SECRET, //secret environment variable
httpOnly: true,
expires: getExpire(), //return date
sameSite: "none",
secure: true,
})
);
my frontend couldn't get any set-Cookies header,
browserheader-image
if I remove samesite and secure
app.use(
cookieSession({
name: "portfolio-cookie-session",
secret: process.env.COOKIE_SECRET, //secret environment variable
httpOnly: true,
expires: getExpire(), //return date
// sameSite: "none", <---remove
// secure: true, <---remove
})
);
then browser can show the cookie header however, it will blocked cause samesite problem
browserheader-image
warning-image
Thank you!
I know this question is redundant, but I have been searching and reading articles all around for hours now. I am using express-session to control user sessions for the express server. It works when I try to console req.session.user from a postman request. When I try to fire the same request from the browser, it returns undefined. Everyone is talking about Chrome security updates and third-party cookies restrictions. I've tried to stick to chrome guidelines on cookie options but didn't help. If I deployed my client or server to a secure domain would it help?
Here are my options
app.use(cors())
app.set('trust proxy', 1) // trust first proxy
app.use(session({
store: new (require('connect-pg-simple')(session))({pool}),
secret: process.env.SESSION_SECRET,
resave: true,
rolling: true,
cookie: {
maxAge: 30 * 60 * 1000, // 30 minutes
secure: false,
sameSite: 'none'
},
saveUninitialized: false,
}));
I am trying to implement some login process inside an iframe on external page and I found out that when I am entering website through iframe the session id of the request is different.
Firefox (correct behaviour):
Entering abc.com -> session_id = sometoken1
Entering dac.com where is iframe with abc.com -> session_id = sometoken1
Chrome (getting different token when entering through iframe)
Entering abc.com -> session_id = sometoken1
Entering dac.com where is iframe with abc.com -> session_id = sometoken2
I was wondering why on Firefox it's working correct and not on Chrome?
Should I add something more to session or cookies setup?:
api.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.REDIS_SESSION_SECRET,
saveUninitialized: false,
resave: false,
}));
I am using Redis and express-session to store token from login proccess.
EDITED:
Additionally I found out that cookie property in req is undefined when opening iframe in Chrome.
The issue was in cookie setup, following config is working correct for me:
api.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.REDIS_SESSION_SECRET,
resave: false,
saveUninitialized: true,
cookie: {
secure: true,
httpOnly: true,
sameSite: 'none',
maxAge: 60 * 60 * 24 * 1000
},
}));
I've looked through quite a few issues on this and have tried every combination of "solutions" for my problem but can't seem to figure this one out.
I currently have a client side react application being hosted on azure. Let's call this https://clientside.net for short.
I also have a server side node js application being hosted on azure we'll call this https://serverside.net.
I can't seem to to get the session variables to save upon authenticating users. This works perfectly fine on localhost btw.
e.g. On the client side we are making requests using axios like so:
const headers = {
withCredentials: true,
headers: { auth: process.env.REACT_APP_SECRET },
};
axios.get(`${process.env.REACT_APP_SERVER}/get/auth`, headers).then((response) => console.log("blah blah blah"));
On the server side this is how express session is setup...
app.use(
cors({
origin: ["https://clientside.net"],
methods: ["GET", "POST"],
credentials: true,
})
);
app.set("trust proxy", 1);
app.use(
session({
name: "sid",
saveUninitialized: false,
resave: false,
secret: "shhh",
cookie: {
domain: ".clientside.net",
maxAge: 1000 * 60 * 60 * 8,
secure: true,
httpOnly: false,
},
})
);
Within our authentication route on server side we are saving session like so ...
req.session.username = req.body.username;
req.session.password = req.body.password;
req.session.save(() =>
res
.status(202)
.json({
authenticated: true, username: req.session.username})
);
Upon refreshing or attempting to hit any other routes, the req.session.username & req.session.password are nowhere to be found. Is there something wrong with my session config? Or am I perhaps missing something? I appreciate any and all help on this! Thanks y'all
I've figure out the issue.
Deploying an application using azure app services, means you will be using a reverse proxy.
In my case nodeiis web service proxy.
The client side makes requests to the iis service which then routes the request to the node server.
I made many changes but the one that got me up and running was switching the cors origin and session domain to be the server side domain/ip like so...
app.use(
cors({
origin: ["https://serverside.net"],
methods: ["GET", "POST"],
credentials: true,
})
);
app.set("trust proxy", 1);
app.use(
session({
name: "sid",
saveUninitialized: false,
resave: false,
secret: "shhh",
cookie: {
domain: ".serverside.net",
maxAge: 1000 * 60 * 60 * 8,
secure: true,
httpOnly: false,
},
})
);
Now session variables are able to be successfully saved upon login.
My app is divided between Client and Server. Client is a frontend side Nextjs app hosted on Now.sh, Server is its backend created with Express and hosted on Heroku, so the domains are client-app.now.sh and server-app.herokuapp.com .
Authentication
Authentication system is based on cookies and I'm using express-session to achieve it. This is my express-session configuration
app.use(
session({
store:
process.env.NODE_ENV === "production"
? new RedisStore({
url: process.env.REDIS_URL
})
: new RedisStore({
host: "localhost",
port: 6379,
client
}),
name: "sessionID",
resave: false,
saveUninitialized: false,
secret: keys.SESSION,
unset: "destroy",
cookie: {
domain:
process.env.NODE_ENV === "production"
? ".client-app.now.sh"
: "localhost",
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 7 * 24 * 60 * 60 * 1000
}
})
);
Cors is set with the "cors" package:
app.use(
cors({
origin:
process.env.NODE_ENV === "production"
? process.env.CLIENT_URL
: "http://localhost:3000",
credentials: true
})
);
Client is configured with Apollo and "credentials" in HttpLink is set to "include".
The problem is that cookie with session ID is correctly set in development, but not in production. Could this be related to the fact that I'm hosting client and server on different domains?
I had my production node server behind a reverse proxy. This causes node to not trust the proxy and thus not set cookies.
I had to enable trusting the first proxy when in production.
app.set('trust proxy', 1) // trust first proxy
More info check out express-session's docs on the topic.
After a lot of time trying to solve this, I just found the solution:
So I had,
app.use(session({
secret: secret,
saveUninitialized: false,
resave: false,
cookie: {
domain: clientDomain,
secure: true
}
}));
I removed all the cookie object and this solved my issue:
app.use(session({
secret: secret,
saveUninitialized: false,
resave: false
}));
Browsers seems don't need help to get the cookies.