Why is express session cookie being blocked as a third party cookie

Question

I am using the express-session module, it works perfectly on localhost but on my website (hosted on Heroku using Cloudflare), the express session is being blocked as being a third party cookie. Here is the configuration for my session:

app.use(session({
  resave: false,
  saveUninitialized: false,
  proxy : true,
  cookie: {
    maxAge: 3600000000000,
    httpOnly: false,
    secure: false,
    domain: '.mydomain.com',
    path: '/' 
  },  
  store: sessionStore,
  secret: 'mysecret',
  unset: 'destroy'
}));

Is this an issue with Express or maybe Cloudflare/Heroku?

Blocked by Google Chrome, which blocks third party cookies by default. I get a dialog that says "This page was prevented from setting cookies". — Dan, Feb 16 '17 at 04:22
Okay I changed the . before the domain but I still get the same error. — Dan, Feb 16 '17 at 04:24
What is the exact URL the browser is requesting when you try to set this session cookie and what is the exact domain you are attempting to set in the cookie. Real URLs and domains, please. — jfriend00, Feb 16 '17 at 04:27
I am using http://www.castcrunch.com as the domain and 'castcrunch.com' as the domain in my express session. — Dan, Feb 16 '17 at 04:31
Also, did you try to just removing the domain entirely from the cookie? The browser will just assign the cookie to the domain that it came from. — jfriend00, Feb 16 '17 at 04:31
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/135819/discussion-between-user1023465-and-jfriend00). — Dan, Feb 16 '17 at 04:33
So the cookie is automatically being set using the domain cast-crunch-server.herokuapp.com which is why it's showing up as a third party cookie it seems like express is ignoring my domain command... — Dan, Feb 16 '17 at 04:37
Well I'm using one server to serve the client side content (which is mostly static) and then managing the sessions in my backend server (which is used to query my database). www.castcrunch.com is my client side server's URL and cast-crunch-server.herokuapp.com is my backend server URL. I'm trying to use the backend server to set the cookie if that makes sense... — Dan, Feb 16 '17 at 05:35
Nope, I don't follow what you're doing. But, I'll bet that's the cause of your problem. — jfriend00, Feb 16 '17 at 05:38

score 3 · Answer 1 · edited Oct 07 '21 at 11:32

#Why the cookie is blocked

From whatis.techtarget.com:

A third-party cookie is one that is placed on a user’s hard disk by a Web site from a domain other than the one a user is visiting.

As you mentioned in your comment, your client and your server are on different domains:
www.castcrunch.com is my client side server's URL and cast-crunch-server.herokuapp.com is my backend server URL

You can read more about cookie domains in the RFC 6265:

The Domain attribute specifies those hosts to which the cookie will be sent.

#What you could do about that

As mentioned in this dzone article, you could use Json Web Tokens to do the authentication. Your server would send the token in the login response body, the client would store it and send it to the server in every subsequent request header.

The drawback with this approach, since you are storing the token, is that you would become vulnerable to XSS attacks. You have to pay special attention to that: sanitise all inputs, or better yet, use frameworks and languages that already to that.

Note: Of course, you could also uncheck the "block 3rd party cookies" option in the browser settings, but this does not seem like a long term solution :).

I guess using cookies is not an option for creating authentication, since a lot of people have 3rd party cookies blocked, especially on incognito — T S, Jul 14 '22 at 21:06

Why is express session cookie being blocked as a third party cookie

1 Answers1