3

The problem I am facing is down to reading a role property of a session set by the users role in a database. Why is this behaviour happening? It makes it difficult to develop new features which rely on backend control of API endpoints.

authentication code

let role = await userAuth.authUser(username, password)
            if(role == null){
                res.status(401).send()
            }else{
                req.session.role = role
                req.session.save()
                res.json(req.session.role)
            }

This is then stored in a session table in my PSQL db. For some functions I require an admin role to be read from the session

exports.getJWT = async (req, res) => {
    if (req.session.role[0].role == 'admin') {
        console.log("Admin found")
}

When I send a request to this function from the same server where the express server is running it passes, and the req.session.role[0].role can be read. However, when I am running a development environment on my localhost and I send a request to the same backend, the property is undefined and the function fails.

Here is my session code from my main express application

server.js

const sessionConfig = {
  store: new pgSession({
      pool: sessionDBaccess,
      tableName: 'session'
  }),
  name: "session",
  secret: "SecretsStaySecret",
  cookie:{httponly:false,secure: true, sameSite: "none", expires: 12 * 60 * 60 *1000}
}
wbbigdave
  • 71
  • 1
  • 9
  • Unless your backend is also on `localhost`, the session cookie will be considered third party and blocked by your browser. Frontend and backend must have the same top-level domain (e.g., `frontend.mydomain.com` and `backend.mydomain.com`). – Heiko Theißen May 26 '22 at 15:24
  • This isn't right, I have set sameSite to none, so the cookie isn't being blocked. I confirmed this in browser as well. The cookie exists and is not blocked. I have run across the blocked issue before, but it is no longer an issue as I have SSL configured on the backend as well (Hence secure: true) – wbbigdave May 26 '22 at 16:15
  • Third-party cookie blocking is not affected by the `sameSite` attribute (which is about top-level navigation, whereas third-party cookies occur without navigating). But if the cookie is visible in your browser ("Application > Storage > Cookies" in Chrome DevTools), then this is indeed not the cause of the problem. Sorry. – Heiko Theißen May 26 '22 at 16:18

1 Answers1

1

when you are not using https set secure:false, see more detail here:https://jonathan-holloway.medium.com/node-and-express-session-a23eb36a052

  const sessionConfig = {
  store: new pgSession({
      pool: sessionDBaccess,
      tableName: 'session'
  }),
  name: "session",
  secret: "SecretsStaySecret",
  cookie:{httponly:false,secure: false, sameSite: "none", expires: 12 * 60 * 60 *1000}
}
Bahmed Benyammi
  • 46
  • 3