Express cookie-session not saving cookie when SameSite is set to 'none' and secure is set to true

Asked 21/6, 2021 at 19:16 Answered 16/9, 2021 at 11:13

express cookies passport.js samesite cookie-session

I am using cookie-session and passportjs to authenticate users in my express app. When I initialize my cookieSession like this:

app.use(cookieSession({
    maxAge: 24 * 60 * 60 * 1000,
    keys: ['key1']
}));

my cookie is successfully saved to the client. However, the project I am working on requires cross-site requests. Therefore, the secure attribute for the cookie must be set to true and the SameSite attribute must be set to none. In the documentation, these values are able to be set as follows:

app.use(cookieSession({
    maxAge: 24 * 60 * 60 * 1000,
    secure: true,
    sameSite: 'none',
    keys: ['key1']
}));

however, when I do this, the cookie fails to save to the client. I'm wondering if anyone knows how to fix this or why this might be happening?

Thank you in advance.

Jeffersonjeffery answered 21/6, 2021 at 19:16 Comment(0)

The answer by Luka Darsalia showed me that, in my case at least, the server was refusing to send secure:true cookies to the client, because it thought the client was insecure (due to the request.protocol being http rather than https).

At first I was confused by this, because my address-bar showed https. But then I remembered that the https was only for the connection between my browser and Cloudflare CDN -- the connection between Cloudflare CDN and my actual server was still using http.

Thus, to fix it, I simply had to assure cookie-session (more specifically, this line in the cookies package) that the connection was secure, and thus to go ahead with sending the cookie with the secure:true flag.

To do this, I simply added the following middleware after the cookieSession middleware:

// your existing cookieSession init here
app.use(cookieSession({
    [...]
    secure: true,
    sameSite: "none",
}));

// enable the "secure" flag on the sessionCookies object
app.use((req, res, next)=>{
    req["sessionCookies"].secure = true;
    next();
});

Willed answered 16/9, 2021 at 11:13 Comment(4)

This looked like exactly like what I needed as our issues are identical, as you have stated them. But after I added the lines under "// enable the "secure"... I got this error msg on the server: "err.message: Cannot set property 'secure' of undefined" Any ideas? Thx. – Watters 3/1, 2022 at 7:19

I would examine the "req" variable with dev-tools or logging, and try to find the property on that object that holds the cookies data. If its not present, then perhaps the cookie-session library you're using (or are you using a different library?) is not set up properly. – Willed 3/1, 2022 at 7:46

I'm wondering if I am not defining a value. In the above first middleware code, you use cookieSession, then in the next middleware code you use sessionCookies. was that intentional or a miss-type? If intentional, where was sessionCookies defined? – Watters 3/1, 2022 at 19:47

Its been a while, but I believe I copy pasted from my working code, so its intentional. The sessionCookies property is set by the cookieSession middleware, from what I recall. – Willed 4/1, 2022 at 3:11

After authentication use this:

passport.authenticate("local");
   req.session.save((error) => {
     if (err) {
       console.log(err);
     } else {
       res.redirect("/");
      }
});

Redevelop answered 22/6, 2021 at 21:13 Comment(1)

While this did not solve the problem for me (hitting the same issue as the OP), it did reveal the problem: it caused the page to show the error Error: Cannot send secure cookie over unencrypted connection. – Willed 16/9, 2021 at 9:25

Recommended topics

Hot tags