Forward opts.secure to the cookies library to prevent silent error
#183
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If express thinks you are running over an unsecure connection, like when X-Forwarded-Proto is http, cookie-session will silently fail to set the session cookie (unless debugging is turned on)
This PR forwards options.secure to the
cookieslibrary.I accidentally changed how my NGINX sends x-forwarded-* headers ,and even though it was running behind HTTPS, nginx would send the X-Forwared-Proto: http header and sessions on my site would start to fail completely, resuting in a big outage for users.
Code that fails