在 localhost 中登录，但在 Heroku 中部署时出现“会话所需的秘密选项”错误

Question

My authentification works properly on localhost but gives me error 500 when deployed on Heroku.

Error:

{"type":"error","error":{"message":"secret option required for sessions"}}

I have my secret session on a.env file that is ignored by.gitignore when pushing (maybe I should change that?)

Heroku Logs:

2019-10-23T17:22:22.682593+00:00 heroku[router]: at=info method=GET path="/manifest.json" host=apppack-demo.herokuapp.com request_id=bb235945-cb82-4168-91ce-fd19d2109801 fwd="85.240.87.39" dyno=web.1 connect=0ms service=2ms status=304 bytes=237 protocol=https
2019-10-23T17:22:22.793594+00:00 heroku[router]: at=info method=GET path="/logo192.png" host=apppack-demo.herokuapp.com request_id=8a1d2243-45c9-4919-b2ad-3ee8f9148d9c fwd="85.240.87.39" dyno=web.1 connect=0ms service=2ms status=304 bytes=238 protocol=https
2019-10-23T17:22:35.594349+00:00 heroku[router]: at=info method=POST path="/api/signup" host=apppack-demo.herokuapp.com request_id=43907374-4de3-4658-92ce-9188f03e1624 fwd="85.240.87.39" dyno=web.1 connect=0ms service=3ms status=500 bytes=300 protocol=https
2019-10-23T17:22:35.592607+00:00 app[web.1]: POST /api/signup 500 1.206 ms - 74

Answer 1

I was facing the same issue while I was deploying my code into AWS Elastic BeanStalk. In.env we could have -

secret='my_secret'

While in server.js:

app.use(cookieParser())
app.use(session({
  resave:true,
  saveUninitialized:true,
  secret:process.env.secret,
  cookie:{maxAge:3600000*24}
}))

The solution turned out to be adding secret to the environments in there. Just add it to your enviroments for production, be it heroku or AWS.

Answer 2

Have you added your secret session from your.env file to heroku config? Since your.env is in your.gitignore it will not be pushed up to heroku. Your code is looking for a string from your process.env but the heroku environment does not have it yet.

You have two solutions

1. Go to your app console and click on settings. Once you are there, click on the box that says reveal config vars and add your secret there.

or

2. In the root directory of your project you can set your config vars there using the command

heroku config:set SECRET_SESSION="secretName"

Answer 3

I recently had this issue with my app. I was getting the 'Error: secret option required for sessions' ONLY when deployed to Heroku.

Here is what my code looked like originally:

app.use(session({
  secret: process.env.SESSION_SECRET, 
  resave: false, 
  saveUninitialized: false
}))

When I deployed to Heroku it kept giving me an "Internal server error". Once checking the logs, it showed me 'Error: secret option required for sessions'.

Here is how I fixed it:

app.use(session({
  secret: 'secretidhere', 
  resave: false, 
  saveUninitialized: false
}))

Since my.env file wasn't viewable and that's where I had my secret code, it was giving me that error. Now, just by putting an arbitrary string 'secretidhere', I deployed to heroku again and it worked!

** However, please note that this should not be a permanent solution. As the poster above states, you should have a config file in your root directory, or another method so this session stays secret.

Hope this helps!