1

Express-Session is working in development environment, as it sets the "connect.sid" cookie in my browser. However, in production it's not storing the cookie, and instead of using the same session - it creates a new one every time. I believe that the issue would be fixed if I can somehow save third party cookies, as my app was deployed using Heroku. Lastly, I have also used express-cors to avoid the CORS issue (don't know if this has anything to do with the cookie issue). I have set {credentials: true} in cors, {withCredentials: true} in Axios, as well.

Hugo
  • 31
  • 1
  • 3
  • There isn't enough architectural information here for us to be able to help. Show your express-session initialization code. Describe exactly what request URL the session is first created with and then what subsequent URL you see a new session get created. Then, show the exact client code that creates the first session and the second client code that doesn't have access to that same session. Show all URLs precisely as they are on the real world. – jfriend00 Jan 18 '21 at 00:44
  • Since you may be new here, questions about code should always show the relevant code. You will get answers more accurately and faster when you show your relevant and actual code. That allows us to see your specific problem and provide a specific solution rather than having to try to teach a whole chapter in a book to guess what might be happing in your situation and explain a whole generic solution with all the possiblities. No engagement here at all in the first hour is because your question is too vague and does not contain your code or describe the situation in enough detail. – jfriend00 Jan 18 '21 at 00:45

4 Answers4

4

Heroku uses reverse proxy. It offers https endpoints but then forwards unencrypted traffic to the website.

Try something like

app.enable('trust proxy')

And check out https://expressjs.com/en/guide/behind-proxies.html

Bergur
  • 3,962
  • 12
  • 20
  • Thanks for that! I just fixed the issue. < app.enable('trust proxy') > didn't work, but you are right about heroku proxy. As I'm using express-session I just had to add the following line to the cookie.sameSite. sameSite:cookie: { httpOnly: true, secure: true, maxAge: 1000 * 60 * 60 * 48, sameSite: 'none' } – Hugo Jan 19 '21 at 01:07
  • Worked for me on Azure app service as well. – Trevor Mar 22 '23 at 04:36
2

Issue Solved! -> Add sameSite: 'none' Full Cookie config (express-session) for production:

cookie: { httpOnly: true, secure: true, maxAge: 1000 * 60 * 60 * 48, sameSite: 'none' }

Hugo
  • 31
  • 1
  • 3
2

Adding a "name" attribute to the session config worked for me:

{
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: true,
    proxy: true, // Required for Heroku & Digital Ocean (regarding X-Forwarded-For)
    name: 'MyCoolWebAppCookieName', // This needs to be unique per-host.
    cookie: {
      secure: true, // required for cookies to work on HTTPS
      httpOnly: false,
      sameSite: 'none'
    }
  }
user759661
  • 71
  • 4
1

Code that works for me. you have to add

app.set("trust proxy", 1);

sameSite: "none" // this option in cookie object

whole code would be looking like below.

app.set("trust proxy", 1); // trust first proxy

app.use(
  session({
    secret: config.domain,
    store: new SequelizeStore({
      db: db.sequelize,
      checkExpirationInterval: 15 * 60 * 1000, // The interval at which to cleanup expired sessions in milliseconds.
      expiration: 15 * 24 * 60 * 60 * 1000, // The maximum age (in milliseconds) of a valid session.
    }),
    resave: false, // we support the touch method so per the express-session docs this should be set to false
    proxy: true, // if you do SSL outside of node.
    saveUninitialized: true,
    cookie: { secure: true, sameSite: "none" },
  })
);
Zee
  • 483
  • 3
  • 10