stackoom
  简体   繁体   中英

Express-session not sending secure cookie to localhost

 原文  2022-08-06 18:58:23       node.js/ express/ cookies/ localhost/ express-session

Question

Regular cookies via res.cookie(..., {secure: true}) works, but express-session does not. I made the following to demonstrate:

const express = require('express');
const session = require('express-session');
const app = express();
app.use(session({
    secret: 'qwerqwerqwer',
    resave: true,
    saveUninitialized: true,
    cookie: {
        secure: true,
    },
}));
app.get('/hello', (req, res) => {
    res.cookie('test', 'asdf', {secure: true});
    res.send('');
});
const PORT = 7000;
app.listen(PORT, () => {
    console.log(`backend listening on port ${PORT}`);
});

When I go to /hello , there is a Set-Cookie for test: asdf but no Set-Cookie for connect.sid . In other words, express-session is not sending the cookie at all; it is not a problem on the browser side. I also logged the response headers and it indeed does not include a Set-Cookie for connect.sid .

MDN says secure cookies work for localhost. It might not be true for chrome but they said it's true for Firefox, so I downloaded Firefox and tested on it, and I don't receive the connect.sid cookie, which also confirms that it's express-session 's problem.

I think express-session is overstepping its authority and withholding the cookie for some reason (the secure attribute should be interpreted by the browser anyways). How do I fix this?

2 answers

solution1
 0  2022-08-06 21:12:00

Secure cookies are only sent through HTTPS so in development you should add a check to see if you're running on production or locally like bellow:

app.use(session({
    secret: 'qwerqwerqwer',
    resave: true,
    saveUninitialized: true,
    cookie: {
        secure: process.env.NODE_ENV === "production",
    },
}));

solution2
 0  2022-08-07 01:56:32

I did some more digging and it turns out that this is a known issue with express-session: https://github.com/expressjs/session/issues/837

Basically, the docs around secure cookies has changed. It used to be that the server is supposed to withhold secure cookies over HTTP, and that is what express-session implemented. Now, it has changed to be the client's responsibility.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question session not persisting when using secure cookie in NodeJS with express-session express-session secure: true express-session is not returning cookie when set cookie.secure = true Is this express-session authentication method secure Express-session Secure Cookies not working express-session dynamic cookie domain Express-session cookie not saving in browser Express-session does not set cookie? Unsure as to why no cookie is being sent back to my localhost client when using express-session Where is the express-session cookie hidden?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM