-2

I'm using express session. I set the domain domain: 'mydomain.com' so that the session cookie can be set between subdomains- like api.mydomain.com and staging.mydomain.com.

But this prevents the Set-Cookie header from setting the cookie when testing with a localhost frontend. I get Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url.

So I need to make the domain attribute change to localhost if the origin is localhost.

If I conditionally set the domain, we don't have access to req:

  app.use(session({
      secret: 'very secret 12345', 
      resave: true,
      saveUninitialized: false,
      store: new MongoStore({ mongooseConnection: mongoose.connection }),
      cookie: {
        domain:
          req.get('origin').slice(0, 17) === 'http://localhost:' ? 'localhost' : 'mydomain.com',
        secure: true,
        httpOnly: true,
        sameSite:  none,
      },
    })
  );

This returns ReferenceError: req is not defined.

So I tried calling session in a custom middleware to get access to req:

  app.use((req, res, next) =>
        session({
      secret: 'very secret 12345',
      resave: true,
      saveUninitialized: false,
      store: new MongoStore({ mongooseConnection: mongoose.connection }),
      cookie: {
        domain:
          req.get('origin').slice(0, 17) === 'http://localhost:' ? 'localhost' : 'mydomain.com',
        secure: true,
        httpOnly: true,
        sameSite:  none,
      },
    })
  );

But it doesn't work. It seems that with this, res, req, and next don't get passed in to the middleware function that session() returns. I also trying calling the function session() that returned -session({..options..})() , but that didn't work either.

How can I set the domain attribute based on the request origin?

Dashiell Rose Bark-Huss
  • 2,173
  • 3
  • 28
  • 48

1 Answers1

-1

I had to call the function and pass in req, res, and next

  app.use((req, res, next) =>
    session({
      secret: 'very secret 12345', // to do, make environment variable for production
      resave: true,
      saveUninitialized: false,
      store: new MongoStore({ mongooseConnection: mongoose.connection }),
      cookie: {
        domain:
          req.get('origin').slice(0, 17) === 'http://localhost:' ? 'localhost' : 'mydomain.com',
        secure: true,
        httpOnly: true,
        sameSite:  none,
      },
      },
    })(req, res, next)
  );
Dashiell Rose Bark-Huss
  • 2,173
  • 3
  • 28
  • 48
  • @vodolaz095 How is the second way possible? Req would be undefined? – Dashiell Rose Bark-Huss Apr 07 '21 at 13:23
  • The original answer is right. The edit is incorrect. This question and answer should not have been down voted. Please read the question more carefully – Dashiell Rose Bark-Huss Apr 07 '21 at 13:33
  • req will be correct, expressjs has 2 types of middlewares - error handler one - `function(error, req,res,next)....` and ordinary one `function(req,res,next)...`. Session is 2nd type, ordinary one – vodolaz095 Apr 07 '21 at 14:16
  • It is not correct. `req` is undefined. Try it. It gives you `ReferenceError: req is not defined`. Think about it. The `session` function is not the middleware that is run. The function that `session` returns is the middleware. So when `req.get('origin')` is run `req` has not been passed in. – Dashiell Rose Bark-Huss Apr 07 '21 at 15:21