Reputation: 311
Express JS/ Node JS : Browsers are not setting cookie when secure=true, sameSite: 'none'
it sets the cookie if I run the server locally, but when it is hosted online :
- If secure=false, sameSite: 'none' then I get the following error
Cookie “connect.sid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
then I tried with secure=true
- if secure=true, sameSite: 'none' then I know it's supposed to work,
it works and the cookies are set when the server is hosted locally. But when it is hosted in heroku the cookie are not set, and I get no error.
It seems as if the client website is not secure but it shows https in the url box
What am I doing wrong here?
session config:
router.use(
session({
cookie: {
secure: true,
maxAge: 86400,
sameSite: "none",
},
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
})
);note : I have already enabled cors with credentials set to true The cookies tab was empty in the XHR cookies tab Front-end and Back-end are hosted separately in heroku XMLHttpRequest is used to send post request with withCredentials set to true.
XHRPOSThttps://sih-drs-prototype-backend-2.herokuapp.com/api/outrages/login [HTTP/1.1 200 OK 1625ms]
POST https://sih-drs-prototype-backend-2.herokuapp.com/api/outrages/login Status200 OK VersionHTTP/1.1 Transferred367 B (2 B size)
Access-Control-Allow-Credentials
true
Access-Control-Allow-Origin
https://tempautocomplete.herokuapp.com
Connection
keep-alive
Content-Length
2
Content-Type
application/json; charset=utf-8
Date
Sun, 12 Jul 2020 14:06:42 GMT
Etag
W/"2-vyGp6PvFo4RvsFtPoIWeCReyIC8"
Server
Cowboy
Vary
Origin
Via
1.1 vegur
X-Powered-By
Express
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
Content-Length
46
Content-Type
application/json;charset=UTF-8
Host
sih-drs-prototype-backend-2.herokuapp.com
Origin
https://tempautocomplete.herokuapp.com
Referer
https://tempautocomplete.herokuapp.com/static/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Upvotes: 18
Views: 9528
Answers (2)
Reputation: 21
The settings, as posted in the original question are OK, only one thing was missing since Heroku might be using a proxy. I ran into the same problem and when I added:
app.set('trust proxy', 1);
The Set-Cookie header was finally sent from the Express server, hosted on Heroku to the browser.
Upvotes: 2
Reputation: 311
The problem is not with expres-session, It does its job. The browsers are not allowing cookies when the response comes from a 3rd party domain.
if you are looking for a workaround try this npm package : should-send-same-site-none https://www.npmjs.com/package/should-send-same-site-none
to be clear, the browser is not rejecting the cookies. Instead the cookies are stored in the name of the 3rd party domain name from which the response is sent.
It works perfectly fine when hosting locally since the request and the response would be from the same domain (localhost)
Upvotes: 3
Related Questions
- Express doesn't set a cookie
- Express-session not sending secure cookie to localhost
- Express-session cookie not saving in browser
- Express doesn't set-cookie when SameSite is none
- Express cookie-session not saving cookie when SameSite is set to 'none' and secure is set to true
- session not persisting when using secure cookie in NodeJS with express-session
- Express-session Secure Cookies not working
- Setting sameSite="none" and secure="true" not fixing new CORS error thrown by Chrome
- Cookie is not get saved in chrome even after setting sameSite:'none' and secure: true for a MERN stack web app
- NodeJs and ExpressJs Cannot Set Cookie