diff --git a/config/env/default.js b/config/env/default.js index 7395b9bcd7..267f519c6c 100644 --- a/config/env/default.js +++ b/config/env/default.js @@ -9,9 +9,18 @@ module.exports = { }, port: process.env.PORT || 3000, templateEngine: 'swig', - // Session details - // session expiration is set by default to 24 hours - sessionExpiration: 24 * (60 * 60 * 1000), + // Session Cookie settings + sessionCookie: { + // session expiration is set by default to 24 hours + maxAge: 24 * (60 * 60 * 1000), + // httpOnly flag makes sure the cookie is only accessed + // through the HTTP protocol and not JS/browser + httpOnly: true, + // secure cookie should be turned to true to provide additional + // layer of security so that the cookie is set only when working + // in HTTPS mode. + secure: false + }, // sessionSecret should be changed for security measures and concerns sessionSecret: 'MEAN', // sessionKey is set to the generic sessionId key used by PHP applications diff --git a/config/lib/express.js b/config/lib/express.js index ce9db03771..59f3cc4c46 100644 --- a/config/lib/express.js +++ b/config/lib/express.js @@ -118,7 +118,9 @@ module.exports.initSession = function (app, db) { resave: true, secret: config.sessionSecret, cookie: { - maxAge: config.sessionExpiration + maxAge: config.sessionCookie.maxAge, + httpOnly: config.sessionCookie.httpOnly, + secure: config.sessionCookie.secure && config.secure.ssl }, key: config.sessionKey, store: new MongoStore({