Express-session Secure Cookies not working

Question

When not using secure cookie true setting, my app user login works fine. When I enable secure cookies, the login appears to go through fine, but it seems the cookie is not saved and the user is not logged in.

In other words, this works:

app = express();
app.use(session({
    secret: 'secret code',
    store: sessionStore,
    resave: false,
    saveUninitialized: false,
    cookie: {
        secure: false,
        maxAge: 5184000000 // 60 days
        }
}));

This does not work (user isn't able to log in):

app = express();
app.set('trust proxy');
app.use(session({
    secret: config.cookieSecret,
    store: sessionStore,
    resave: false,
    saveUninitialized: false,
    proxy: true,
    secureProxy: true,
    cookie: {
        secure: true,
        httpOnly: true,
        maxAge: 5184000000 // 60 days
        }
}));

Behind cloudflare and nginx. This is in my nginx config:

location ~ / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://localhost:3000;
}

From what I read, I think it should work. What am I missing?

EDIT: I am running https with a valid ssl cert.

Possible duplicate of [How to read a http only cookie using JavaScript](https://stackoverflow.com/questions/8064318/how-to-read-a-http-only-cookie-using-javascript) — Mike Doe, Feb 06 '20 at 22:20

score 45 · Answer 1 · answered Feb 06 '20 at 21:46

45

The combination of settings that worked for me:

Inside the nginx server configuration, add proxy_set_header X-Forwarded-Proto $scheme;

Inside the express-session configuration:

server.use(
  session({
    proxy: true, // NODE_ENV === 'production'
    cookie: {
      secure: true, // NODE_ENV === 'production'
    },
    // everything else
  })
);

answered Feb 06 '20 at 21:46

Stoyan Berov

1,171
12
18

9

Setting proxy header in nginx helped me resolve my issue. Thanks! – Curious101 May 19 '20 at 22:22
1

Thank you for this answer. Spent the last two days debugging this issue, even went so far as to completely change my graphql client thinking that that might have been the cause. Its only when i noticed that cookies worked in production when secure was set to false that i figured it might be something else. – Frisbetarian-Support Palestine Dec 29 '22 at 12:01

score 12 · Answer 2 · answered Jul 26 '20 at 20:41

Solution if using Heroku:

In Heroku, all requests come into the application as plain http but they have the header X-Forwarded-Proto to know whether the original request was http or https. That causes express to see non-ssl traffic and so it refuses to set a secure cookie when running on Heroku. Express will only send secure cookies over https. You have to tell express to trust the information in the X-Forwarded-Proto header, i.e. that the original request was over https, by enabling the 'trust proxy' setting. Before defining the cookie properties I put

app.set('trust proxy', 1);

Where 1 means trust the first proxy. 1 was good enough for me to set cookie: secure

This also worked for my AWS hosted app. – Haruku Mar 08 '22 at 09:25 — Haruku, Mar 08 '22 at 09:25

score 7 · Answer 3 · answered Jun 08 '21 at 16:41

Apache reverse proxy solution

For those looking for a potential solution and are using an Apache reverse proxy: Make sure to add the following directives above the ProxyPass directives inside the VirtualHost directive for the respective domain:

RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Forwarded-SSL expr=%{HTTPS}

ProxyPass / http://localhost:8001/
ProxyPassReverse / http://localhost:8001/

This change allowed my cookies to persist.

Additionally, as others have pointed out, don't forget to add the following code to your production (or other hosted environments that use a proxy) express configuration:

  if (app.get('env') === 'production') {
      app.set('trust proxy', 1); // trust first proxy, crucial
  }

Lastly, make sure your cookie/session settings are set up correctly. Check out Stoyan Borov's answer for the minimum requirements. Here's how I set it up:

    app.use(session({
        cookie: {
            sameSite: 'lax', // lax or strict
            secure: process.env.NODE_ENV === 'production', // Crucial
            maxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
        },
        proxy: true, // Crucial
        resave: false,
        saveUninitialized: true,
        secret: 'Gotta love cookies',
        store: yourSessionStore,
        rolling: true,
    }));

Great answer, thanks for good explanation of steps for Apache! — gudbrand3, Sep 09 '21 at 20:39
Hi Victor, I'm running into the same issue. See here https://stackoverflow.com/questions/71145818/unable-to-verify-authorization-state-on-heroku. Can you tell me how to set the apache headers you mentioned in nodejs/express? I'm unable to set them using apache because heroku doesn't use that — Chris Hansen, Feb 18 '22 at 13:14
And remember to enable the headers module: sudo a2enmod headers — anthonygore, Jul 14 '23 at 06:42

Swaraj Giri · Answer 4 · 2017-05-18T18:29:52.573

2

That's exactly what secure cookie does. It does not get saved by the browser in an insecure environment, read http://.

You need to add an ssl sert, redirect all http requests to https and then the cookie would get saved in the browser.

Getting https set up on local is irritating, so set secure in a config / environment variable you also set to false on your source control and enable it for prod/ staging.

Edit: Also enable resave, resave: true

edited May 18 '17 at 18:29

answered May 18 '17 at 06:52

Swaraj Giri

4,007
2
27
44

1

I am using HTTPS with a valid ssl cert. Sorry, I should have included that info. – Justin Lok May 18 '17 at 07:11
1

Enable resave, `resave: true` – Swaraj Giri May 18 '17 at 18:30

score 2 · Answer 5 · answered May 18 '17 at 07:53

2

My guess is that the actual problem is this:

httpOnly: true

This means that any client-side code cannot access the cookie (through document.cookie), and any XHR ("AJAX") requests that you perform need to explicitly set withCredentials before any cookies will be sent in the request.

It depends on which client-side setup you're using how to do that:

plain XHR: look at the example code
fetch: here
jQuery: use the xhrFields option for $.ajax()
Angular 1: here
Angular 2: here

answered May 18 '17 at 07:53

robertklep

198,204
35
394
381

Hello, would you know the answer to this ?http://stackoverflow.com/questions/44041506/how-to-check-that-a-user-has-already-voted-on-a-post – Coder1000 May 18 '17 at 09:16

Justin Lok · Answer 6 · 2017-05-18T23:01:22.670

0

Removing the secret key from cookie-parser seems to do the trick and allow logins for some reason. I was using the same secret key as the session cookie (as the documentation says to do) so I don't understand why it didn't work and yet it worked with unsecure cookies. Leaving the secret key on cookie-parser and enabling session resave true also worked. If anybody can explain this it would be appreciated.

edited May 18 '17 at 23:01

answered May 18 '17 at 22:44

Justin Lok

1,214
2
16
35

score 0 · Answer 7 · answered Jan 22 '20 at 08:29

<VirtualHost *:80>
 ServerName xx.com
    ProxyPreserveHost On
<Location "/">

        ProxyPreserveHost On
        ProxyPass http://localhost:8080/
        ProxyPassReverse http://localhost:8080/
        RequestHeader set X-Forwarded-Port "443"
        RequestHeader set X-Forwarded-Proto "https"
</Location></VirtualHost>

score 0 · Answer 8 · answered Aug 03 '20 at 18:56

0

app.set('trust proxy', 1); worked like a charm

answered Aug 03 '20 at 18:56

fad

43
1
9

Express-session Secure Cookies not working

8 Answers8

Linked