3

So I built an app that uses passport and express session for its authentication. When I deployed, I discovered that safari was not letting express session work until I switched off 'cross site tracking' in its settings. How do I make this work?

Based on this article https://sarav.co/session-persisting-issue-safari I need to manually switch it off, but I honestly cannot expect my users to be manually doing that.

Below is how I've set up my express session:

app.set('trust proxy', 1);

app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
        secure: true,
        httpOnly: true,
        sameSite: 'none',
        maxAge: 60 * 60 * 24 * 1000
    },
    store: MongoStore.create({
        mongoUrl: process.env.DB_URL,
        ttl: 14 * 24 * 60 * 60,
        autoRemove: 'native',
    })
}));
Kotai
  • 121
  • 1
  • 7

1 Answers1

0

Use CORS middleware with correct options from here - https://expressjs.com/en/resources/middleware/cors.html

Abhishek Singh
  • 408
  • 1
  • 5
  • Not a cors problem. It works fine on other browsers – Kotai Jul 06 '22 at 19:56
  • 1
    ok. Safari does not allow cross-domain cookies. Removing `sameSite` and `secure` will work as other way around to this problem. True solution to this problem is both F/E and B/E should be in same domain / sub-domain of same domain. – Abhishek Singh Jul 07 '22 at 06:38
  • Pls how did you solve this issue? Am also having this issue. @Kotai – Paulliano Sep 30 '22 at 12:10