8

I am developing a web app with Express.js and React.js. I am using express-session but it is not working. This is how i am using it:

app.use(session({
  store: new MongoStore({
    mongooseConnection: mongoose.connection,
    ttl: 365 * 24 * 60 * 60
  }),
  secret: process.env.SESSION_SECRET,
  resave: true,
  saveUninitialized: false,
  cookie: {
    maxAge: 24 * 60 * 60 * 1000,
    httpOnly: true, 
    secure: false,
    SameSite: 'strict',
  }
}));

I tried with "secure" in true, false, auto and all possibles combinations. And always had the same Chrome issue:

In a future version of the browser, cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute. Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests

Does anyone knows how to solve it?

Thank you very much.

jklp
  • 2,091
  • 2
  • 23
  • 37
Nicolas Urman
  • 153
  • 1
  • 1
  • 9
  • Just a note that "In a future version of the browser" is right now. This feature has been turned on for a small percentage of users in the last few days. https://www.chromium.org/updates/same-site – spender Jul 31 '20 at 08:48
  • Yes, i just read it. But i still does not understand why it works in my Mac's Chrome, works on my Windows Chrome, but in my partner's Chrome no. And i dont know how to solve it... – Nicolas Urman Jul 31 '20 at 09:09
  • Same problem here – Richard Aguirre Aug 25 '20 at 19:37
  • same problem here too, doesn't seem like anyone has really released much helpful info on this subject yet – ezg Sep 01 '20 at 03:15

2 Answers2

8

There is an example with session, and mongoStore:

const session = require('express-session');
const MongoStore = require("connect-mongo")(session);
const mongoose = require('mongoose');

module.exports = session({
  secret: 'SuperSecret - (Change it)', //!settear una variable de entorno. 
  resave: false,
  saveUninitialized: true,
  cookie: {
    secure: true,
    httpOnly: true,
    sameSite: 'none',
    maxAge: 60 * 60 * 24 * 1000
  },
  store: new MongoStore({
    mongooseConnection: mongoose.connection,
    ttl: 24 * 60 * 60
  })
});
ValRob
  • 2,584
  • 7
  • 32
  • 40
7

SameSite: 'strict' is the issue! The first 'S' should be lowercase in JavaScript sameSite: 'strict'.

Also, if that doesn't solve your problem, could it be possible that it's not actually a same site request and you need to revise it to sameSite: none. I could be wrong, I don't know anything other than what you shared, but just wanted to throw that out just in case!

ezg
  • 715
  • 2
  • 7
  • 20