Reputation: 163
Why express-session (SameSite atribute) isn't working on Chrome?
I am developing a web app with Express.js and React.js. I am using express-session but it is not working. This is how i am using it:
app.use(session({
store: new MongoStore({
mongooseConnection: mongoose.connection,
ttl: 365 * 24 * 60 * 60
}),
secret: process.env.SESSION_SECRET,
resave: true,
saveUninitialized: false,
cookie: {
maxAge: 24 * 60 * 60 * 1000,
httpOnly: true,
secure: false,
SameSite: 'strict',
}
}));I tried with "secure" in true, false, auto and all possibles combinations. And always had the same Chrome issue:
In a future version of the browser, cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute. Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests
Does anyone knows how to solve it?
Thank you very much.
Upvotes: 9
Views: 14631
Answers (2)
Reputation: 2692
There is an example with session, and mongoStore:
const session = require('express-session');
const MongoStore = require("connect-mongo")(session);
const mongoose = require('mongoose');
module.exports = session({
secret: 'SuperSecret - (Change it)', //!settear una variable de entorno.
resave: false,
saveUninitialized: true,
cookie: {
secure: true,
httpOnly: true,
sameSite: 'none',
maxAge: 60 * 60 * 24 * 1000
},
store: new MongoStore({
mongooseConnection: mongoose.connection,
ttl: 24 * 60 * 60
})
});
Upvotes: 9
Reputation: 815
SameSite: 'strict' is the issue! The first 'S' should be lowercase in JavaScript sameSite: 'strict'.
Also, if that doesn't solve your problem, could it be possible that it's not actually a same site request and you need to revise it to sameSite: none. I could be wrong, I don't know anything other than what you shared, but just wanted to throw that out just in case!
Upvotes: 8
Related Questions
- Express-session cookie not saving in browser
- Why am I getting "Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute"?
- Express JS/ Node JS : Browsers are not setting cookie when secure=true, sameSite: 'none'
- Google Chrome not setting cookie sent from NodeJS/Express server
- express-session for cross-domain application not sending cookies
- Express-session Secure Cookies not working
- Setting sameSite="none" and secure="true" not fixing new CORS error thrown by Chrome
- Cookie is not get saved in chrome even after setting sameSite:'none' and secure: true for a MERN stack web app
- NodeJS cookies don't work with sessions in Express 4
- express session management not working