0

I am using cookie-session and passportjs to authenticate users in my express app. When I initialize my cookieSession like this:

app.use(cookieSession({
    maxAge: 24 * 60 * 60 * 1000,
    keys: ['key1']
}));

my cookie is successfully saved to the client. However, the project I am working on requires cross-site requests. Therefore, the secure attribute for the cookie must be set to true and the SameSite attribute must be set to none. In the documentation, these values are able to be set as follows:

app.use(cookieSession({
    maxAge: 24 * 60 * 60 * 1000,
    secure: true,
    sameSite: 'none',
    keys: ['key1']
}));

however, when I do this, the cookie fails to save to the client. I'm wondering if anyone knows how to fix this or why this might be happening?

Thank you in advance.

Andrew
  • 240
  • 1
  • 3
  • 13

2 Answers2

1

The answer by Luka Darsalia showed me that, in my case at least, the server was refusing to send secure:true cookies to the client, because it thought the client was insecure (due to the request.protocol being http rather than https).

At first I was confused by this, because my address-bar showed https. But then I remembered that the https was only for the connection between my browser and Cloudflare CDN -- the connection between Cloudflare CDN and my actual server was still using http.

Thus, to fix it, I simply had to assure cookie-session (more specifically, this line in the cookies package) that the connection was secure, and thus to go ahead with sending the cookie with the secure:true flag.

To do this, I simply added the following middleware after the cookieSession middleware:

// your existing cookieSession init here
app.use(cookieSession({
    [...]
    secure: true,
    sameSite: "none",
}));

// enable the "secure" flag on the sessionCookies object
app.use((req, res, next)=>{
    req["sessionCookies"].secure = true;
    next();
});
Venryx
  • 15,624
  • 10
  • 70
  • 96
  • This looked like exactly like what I needed as our issues are identical, as you have stated them. But after I added the lines under "// enable the "secure"... I got this error msg on the server: "err.message: Cannot set property 'secure' of undefined" Any ideas? Thx. – Ric Jan 03 '22 at 07:19
  • I would examine the "req" variable with dev-tools or logging, and try to find the property on that object that holds the cookies data. If its not present, then perhaps the cookie-session library you're using (or are you using a different library?) is not set up properly. – Venryx Jan 03 '22 at 07:46
  • I'm wondering if I am not defining a value. In the above first middleware code, you use cookieSession, then in the next middleware code you use sessionCookies. was that intentional or a miss-type? If intentional, where was sessionCookies defined? – Ric Jan 03 '22 at 19:47
  • 1
    Its been a while, but I believe I copy pasted from my working code, so its intentional. The sessionCookies property is set by the cookieSession middleware, from what I recall. – Venryx Jan 04 '22 at 03:11
0

After authentication use this:

passport.authenticate("local");
   req.session.save((error) => {
     if (err) {
       console.log(err);
     } else {
       res.redirect("/");
      }
});
Luka Darsalia
  • 79
  • 1
  • 4
  • While this did not solve the problem for me (hitting the same issue as the OP), it did reveal the problem: it caused the page to show the error `Error: Cannot send secure cookie over unencrypted connection`. – Venryx Sep 16 '21 at 09:25