express.session won't set cookie on iOS Safari when accessing application through it's domain

Question

I have a Node/Express application hosted on Heroku that has a domain that I purchased for it. When using the application on my desktop it works fine. I can log-in just fine when I visit it's domain at https://myapp.app or where it's hosted at on Heroku directly, https://myapp.herokuapp.com

However, when I visit the app on Safari on mobile iOS at it's domain ( https://myapp.app ) it won't authenticate requests. Logging in doesn't seem to set the cookie. When I visit the application at it's Heroku URL however ( https://myapp.herokuapp.com ) I can log in just fine. After logging in at https://myapp.herokuapp.com it'll let me stay logged in https://myapp.app, and only after logging in once already at https://myapp.herokuapp.com will it let me log in at https://myapp.app.

Here's my express-session code. I am using Passport.js for authentication as well.

app.use(session({ 
    secret: 'cat', 
    resave: false, 
    saveUninitialized: true,
    proxy: true,
    cookie: { 
        sameSite: 'none',
        secure: process.env.NODE_ENV == "production" ? true : false
    }
}));

Any help would be greatly appreciated.

Answer 1

This is working for me:

app.use(
  session({
    name: SESS_NAME,
    resave: false,
    saveUninitialized: false,
    store: new MongoStore({mongooseConnection: db}),
    secret: SESS_SECRET,
    proxy: true,
    cookie: {
      maxAge: 1000 * 60 * 24, // 24 hours
      secure: true,
      httpOnly: true,

    },
  })
);

Answer 2

Since you are setting sameSite: 'none', you are telling express session that you will be working with cross-domains. Setting sameSite: true should work for you or since this is its default value, you do not need to use it