3

I have an express session set up to use cookies which get stored in a database. This works perfectly in firefox, but it chrome it doesn't seem to ever save the cookie, so the session is never reflected by the client.

app.use(expressSession({ 
  secret: data[0],
  cookie: { 
    httpOnly: false,
    secure: true,
    maxAge: 14 * 24 * 60 * 60 * 1000, //14 days
  },
  store: new connectMongo({mongooseConnection: mongoose.connection}),
  resave: false,
  saveUninitialized: false,
}));

In firefox, it definitely saves a cookie as connect.sid, and saves data between page loads: enter image description here

In chrome, it saves some of my browser side set cookies, such as analytics and ones I do with javascript, but connect.sid is never saved.

enter image description here

EDIT: so I've discovered it has to do with secure: true, but I don't want to disable it if I don't have to.

I thought it had to do with xhr.withCredentials but that didn't seem to fix it, plus the page says that it doesn't affect same-site requests, which mine always are.

stackers
  • 2,701
  • 4
  • 34
  • 66

2 Answers2

0

Not sure where your were hosting your server but after struggling with similar problem you can use the following line, it could be that your server is hosted in places such as heroku as per this other stack overflow thread PassportJS callback switch between http and https

app.set('trust proxy', 1)
VericalId
  • 105
  • 12
0

I had the same problem as the cookie were not being saved when deployed. If your backend server and frontend app are hosted on different domain i.e. different IP. The reason it works on firefox it still shows warning if sameSite attribute value is not provided and but allow the cookie to be set in browser for cross-domain context. whereas, in all the chromium based application if the sameSite attribute value is not provided in the cookie for cross-domain context, then the cookies are not being set or saved in the browser thus in turn these cookie are not being sent along with the request to server to fetch a user's data.

  • Then you need to set sameSite:'none' which indicates whether a cookie is intended to be used in a cross-site context.
  • Also, Secure attribute must be set to true secure: true when the SameSite attribute has been set to 'none'. To protect user data from cross-site request forgery, policy adopted by most browser which will in turn prevent your cookie from being saved. for more info check docs
  • If secure is set true, and your request to the server is sent over HTTP, the cookie will not be saved in the browser. check mdn docs
  • If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express:
// app.set('trust proxy', 1); //either use this or set proxy:true when setting up 
app.use(
    session({
        secret: 'session secret',
        cookie: {
            sameSite: 'none',
            secure: true,  
            maxAge: 30000
        },
        proxy: true, //or use this
        resave: false,
        saveUninitialized: false,
        store: MongoStore.create({
            mongoUrl: 'database uri',
        }),
    })
);
roxylius
  • 31
  • 3