0

Why does this work:

router.use(session({
  name: process.env.SESSION_COOKIE,
  genid: () => uuidv4(),
  cookie: {
    httpOnly: true,
  },
  secret: process.env.SESSION_SECRET,
  store: new RedisStore({
    host: process.env.REDIS_HOST,
    port: process.env.REDIS_PORT,
    ttl: 1 * 24 * 60 * 60, // In seconds
  }),
  saveUninitialized: false,
  resave: false,
}));

But this doesn't?

router.use(session({
  name: process.env.SESSION_COOKIE,
  genid: () => uuidv4(),
  cookie: {
    httpOnly: true,
    secure: true,
  },
  secret: process.env.SESSION_SECRET,
  store: new RedisStore({
    host: process.env.REDIS_HOST,
    port: process.env.REDIS_PORT,
    ttl: 1 * 24 * 60 * 60, // In seconds
  }),
  saveUninitialized: false,
  resave: false,
}));

Setting secure to true results in the session cookie not being set at all. FWIW, I'm using PassportJS for authentication.

NOTE: This question might look similar to this one but the top-voted answer there doesn't quite address the issue. It says httpOnly is causing the problem but I don't understand why it would? The cookie isn't being set on the client, right?

The file in question is up at https://github.com/amitschandillia/proost/blob/master/web/routes/auth-routes.js.

NOTE 2: The server is SSL-enabled and the URL is https://www.schandillia.com.

TheLearner
  • 2,813
  • 5
  • 46
  • 94

1 Answers1

0

The secure option for a cookie means that the cookie is ONLY sent by the browser over an https connection and, in some browsers, the cookie marked as "secure" won't even be saved by the browser for future requests if it arrives over an insecure connection.

Your server appears to be an http server so the cookie will not be sent back to your server on subsequent requests making the cookie disappear.

jfriend00
  • 683,504
  • 96
  • 985
  • 979
  • I forgot to mention that my server is SSL-enabled. The URL is https://www.schandillia.com. – TheLearner Sep 02 '19 at 06:43
  • @TheLearner - This code [right here](https://github.com/amitschandillia/proost/blob/master/web/server/server.js#L79) is starting a plain http server, not an https server. – jfriend00 Sep 02 '19 at 06:44
  • So having an Nginx proxy direct all port 443 traffic to port 80 isn't enough? If I switch to https in express, won't that make the Nginx configs redundant? – TheLearner Sep 02 '19 at 06:49
  • 1
    @TheLearner - Well, there are at least two opportunities in that chain for the cookie to be blocked. It could be blocked outbound from the Express server because the express server sees that the connection is not https. Or, it could be blocked inbound by nginx and not proxied because it would be going over http to the proxy destination. You'd have to either study their code or do some diagnostic work on the network to see where it was getting blocked. – jfriend00 Sep 02 '19 at 07:02
  • @TheLearner - For starters, see if the cookie is present in the browser? Does it get there and get saved there? – jfriend00 Sep 02 '19 at 07:11