fastify · Uzlopak · Sep 9, 2022 · Sep 8, 2022
diff --git a/lib/cookie.js b/lib/cookie.js
diff --git a/lib/fastifySession.js b/lib/fastifySession.js
@@ -4,6 +4,7 @@ const fp = require('fastify-plugin')
 const idGenerator = require('./idGenerator')()
 const Store = require('./store')
 const Session = require('./session')
+const isConnectionSecure = require('./isConnectionSecure')
 
 function fastifySession (fastify, options, next) {
   const error = checkOptions(options)
@@ -165,7 +166,7 @@ function fastifySession (fastify, options, next) {
 
       const cookieSessionId = getCookieSessionId(request)
       const saveSession = shouldSaveSession(request, cookieSessionId, saveUninitializedSession, rollingSessions)
-      const isInsecureConnection = cookieOpts.secure === true && !isConnectionSecure(request)
+      const isInsecureConnection = cookieOpts.secure === true && isConnectionSecure(request) === false
       if (!saveSession || isInsecureConnection) {
         // if a session cookie is set, but has a different ID, clear it
         if (cookieSessionId && cookieSessionId !== session.encryptedSessionId) {
@@ -183,7 +184,7 @@ function fastifySession (fastify, options, next) {
         reply.setCookie(
           cookieName,
           hasCookiePrefix ? `${cookiePrefix}${session.encryptedSessionId}` : session.encryptedSessionId,
-          session.cookie.options(isConnectionSecure(request))
+          session.cookie
         )
         done()
       })
@@ -219,12 +220,6 @@ function fastifySession (fastify, options, next) {
     return opts
   }
 
-  function isConnectionSecure (request) {
-    return (
-      request.raw.socket?.encrypted === true || request.headers['x-forwarded-proto'] === 'https'
-    )
-  }
-
   function shouldSaveSession (request, cookieId, saveUninitializedSession, rollingSessions) {
     return cookieId !== request.session.encryptedSessionId
       ? saveUninitializedSession || request.session.isModified()

diff --git a/lib/getCookieOpts.js b/lib/getCookieOpts.js
@@ -0,0 +1,35 @@
+'use strict'
+
+const isConnectionSecure = require('./isConnectionSecure')
+
+module.exports = function getCookieOpts (cookieOpts, request) {
+  const originalMaxAge = cookieOpts.originalMaxAge || cookieOpts.maxAge || null
+  let secure = cookieOpts.secure || null
+  let sameSite = cookieOpts.sameSite || null
+  let expires = null
+
+  if (originalMaxAge) {
+    expires = new Date(Date.now() + originalMaxAge)
+  } else if (cookieOpts.expires) {
+    expires = new Date(cookieOpts.expires)
+  }
+
+  if (secure === 'auto') {
+    if (isConnectionSecure(request)) {
+      secure = true
+    } else {
+      sameSite = 'Lax'
+      secure = false
+    }
+  }
+
+  return {
+    expires,
+    originalMaxAge,
+    sameSite,
+    secure,
+    path: cookieOpts.path || '/',
+    httpOnly: cookieOpts.httpOnly !== undefined ? cookieOpts.httpOnly : true,
+    domain: cookieOpts.domain || null
+  }
+}
diff --git a/lib/isConnectionSecure.js b/lib/isConnectionSecure.js
@@ -0,0 +1,8 @@
+'use strict'
+
+module.exports = function isConnectionSecure (request) {
+  return (
+    request.raw.socket?.encrypted === true ||
+    request.headers['x-forwarded-proto'] === 'https'
+  )
+}
diff --git a/lib/session.js b/lib/session.js
@@ -2,7 +2,7 @@
 
 const crypto = require('crypto')
 
-const Cookie = require('./cookie')
+const getCookieOpts = require('./getCookieOpts')
 const { configure: configureStringifier } = require('safe-stable-stringify')
 
 const stringify = configureStringifier({ bigint: false })
@@ -38,7 +38,7 @@ module.exports = class Session {
       prevSession[sessionIdKey] === sessionId &&
       prevSession[encryptedSessionIdKey]
     ) || cookieSigner.sign(this.sessionId)
-    this.cookie = new Cookie(prevSession?.cookie || cookieOpts)
+    this.cookie = getCookieOpts(prevSession?.cookie || cookieOpts, request)
 
     if (prevSession) {
       // Copy over values from the previous session