-
-
Notifications
You must be signed in to change notification settings - Fork 983
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set-Cookie not added in response headers when secure=true (boolean value) #983
Comments
I have the same issue except for me it's like this (same code, different subdomain):
the session.cookie.httpOnly is set to false, path is "/" |
I have encountered the same issue while using express-session and there might be a solution here: |
it's a solution but it's not :) patching installed modules in node_modules is bad bad practice :) |
I thought it didn't work for me either after uploading it to the server, and I wasted a lot of time on it, but it turns out that this is an important part of the documentation: |
When session (import session from "express-session") is inited as follows the cookie is not set when sessionSecure (alias session) is set to true (boolean value). In case set to boolean false, undefined, "auto" the cookie is set as expected.
NOTE: sessionSameSite can be set to none, lax, strict.
True value is fundamental, as in Chrome v.124 when sameSite=none attribute Secure must be specified in order for the cookie to be accepted, elsewhere it is rejected by the browser.
Below the 2 extract from the network tab taken from Chrome when sameSite=none and
(1) sessionSecure=auto (cookie is set but rejected by the browser because Secure is missing in setCookie header
(2) sessionSecure=true (cookie is not set)
Originating browser request is always the same, when such request is handled custom properties are injected into session and the session is saved within the store:
POST /apis/login HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6,de-AT;q=0.5,de;q=0.4,fr-FR;q=0.3,fr;q=0.2,pt-PT;q=0.1,pt;q=0.1,es;q=0.1,cs;q=0.1
Connection: keep-alive
Content-Length: 151
Content-Type: application/json
Host: ********
Origin: https://*******
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
(1)sessionSecure='auto'
HTTP/1.1 200 OK
Content-Length: 62615
Content-Type: application/json; charset=utf-8
Date: Mon, 06 May 2024 15:51:20 GMT
ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None
Strict-Transport-Security: max-age=15552000; includeSubDomains
request-context: appId=cid-v1:
Content-Security-Policy: default-src 'self';script-src 'self'
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
(2)sessionSecure=true
HTTP/1.1 200 OK
Content-Length: 62615
Content-Type: application/json; charset=utf-8
Date: Mon, 06 May 2024 15:45:38 GMT
ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Strict-Transport-Security: max-age=15552000; includeSubDomains
request-context: appId=cid-v1:
Content-Security-Policy: default-src 'self';script-src 'self'
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
For case (2) we expected to see added to the headers above the following:
Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None; Secure
The text was updated successfully, but these errors were encountered: