Cookie is not get saved in chrome even after setting sameSite:'none' and secure: true for a MERN stack web app

Question

After the latest updates in chrome, the browser is not saving my server cookies. Previously, it was working even it showed a warning about it. But now it is not.

Since my react app is hosted on netlify and my server runs on AWS, it is cross-origin. So, I have changed my cookie settings in express-session with sameSite=None secure options as follows.

app.use(session({
secret: 'my secret',
name: 'my-react-app',
resave: false,
saveUninitialized: true,
cookie: {
  secure: true,
  sameSite: 'none',
  maxAge: 24 * 60 * 60 * 1000,
  httpOnly: true
}
}));

After setting secure: true, it does not even work in firefox. The website is served over https. I've tried almost all combinations with these params. Am I missing anything? Any help would be appreciated.

Answer 1

I found the solution finally.

Actually, it has nothing much to do with express-session settings, in which I spent a lot of hours. The main reason behind this is misconfigured reverse proxy. In my case, connection between the reverse proxy and application server was not https. Because of that, the secure flag in the cookie is not applied, which in turn results into setting sameSite option to default 'lax' value. And, that's why my cookies got rejected in a cross-origin request.

To solve this, I have to set X-Forwarded-Proto in the proxy header.

Open reverse proxy configuration file

sudo nano /etc/nginx/conf.d/sysmon.conf

in my case, and add the following line.

proxy_set_header X-Forwarded-Proto $scheme;

This will forward request over https.

And you also need to set "trust proxy" in express.

var app = express()
app.set('trust proxy', 1) // trust first proxy