Express.js cross-domain session is not saved

Question

I am trying to make a third party application meaning it will run across multiple domains. I want to handle a session per user that uses the app, therefore, I used the express-session module to make it but every time I make a request it starts up a new session for the current request...

const express    = require('express'),
      router     = express.Router();
      const session = require('express-session')

router.use(function(req, res, next) {
    res.header('Access-Control-Allow-Credentials', true);
    res.header('Access-Control-Allow-Origin', req.headers.origin);
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
    res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
    next();
});

router.use(session({
    secret: 'keyboard cat',
    resave: true,
    maxAge: 2 * 60 * 60 * 1000, // 2 hours
    saveUninitialized: false,
    cookie: { 
        maxAge:  2 * 60 * 60 * 1000 ,
        secure: false,
        sameSite : false,
        httpOnly: false}
}))
router.get( '/',function (req, res, next) {

    // let payload = req.query;
    let isDevClient = req.session.isDevClient  || false;
    console.log('isNew? ', isDevClient );
    res.status(201).send({
        success: true, 
        isDevClient,
        message: 'msg..'
    });

}).post( '/',function (req, res, next) {
    let payload = req.body;
    console.log('isNew? ', req.session.isDevClient )
    req.session.isDevClient = true; 
    res.status(200).send({
        success: true, 
        message: 'ok'
    });
});


module.exports = router;

Request example

// javascript
fetch('https://127.0.0.1:8443/',{
method : "POST",
credentials: 'include',
})

//Jquery
    $.ajax({
        'type': 'post',
        'url': 'https://127.0.0.1:8443',
         'xhrFields': {
         'withCredential's: true
         }
        'success': function (response) {},
    })

``

Answer 1

Use credentials: 'include' in your fetch call, otherwise fetch won't send cookies during cross-domain request. Example:

fetch(..., {
   ...,
   credentials: 'include' 
}

Update: seems like recent Chrome version will not send cookies during cross-domain requests if SameSite attribute is not set.

Setting sameSite : 'none' should fix it. Note that chrome also requires these cookies to be Secure. https://www.chromestatus.com/feature/5633521622188032

By the way, you can easily provide examples with repl.it (like this)