Reputation: 51
Express-Session not working in production/deployment
Express-Session is working in development environment, as it sets the "connect.sid" cookie in my browser. However, in production it's not storing the cookie, and instead of using the same session - it creates a new one every time. I believe that the issue would be fixed if I can somehow save third party cookies, as my app was deployed using Heroku. Lastly, I have also used express-cors to avoid the CORS issue (don't know if this has anything to do with the cookie issue). I have set {credentials: true} in cors, {withCredentials: true} in Axios, as well.
Upvotes: 2
Views: 10466
Answers (4)
Reputation: 51
Issue Solved! -> Add sameSite: 'none' Full Cookie config (express-session) for production:
cookie: {
httpOnly: true,
secure: true,
maxAge: 1000 * 60 * 60 * 48,
sameSite: 'none'
}
Upvotes: 3
Reputation: 483
Code that works for me. you have to add
app.set("trust proxy", 1);
sameSite: "none" // this option in cookie object
whole code would be looking like below.
app.set("trust proxy", 1); // trust first proxy
app.use(
session({
secret: config.domain,
store: new SequelizeStore({
db: db.sequelize,
checkExpirationInterval: 15 * 60 * 1000, // The interval at which to cleanup expired sessions in milliseconds.
expiration: 15 * 24 * 60 * 60 * 1000, // The maximum age (in milliseconds) of a valid session.
}),
resave: false, // we support the touch method so per the express-session docs this should be set to false
proxy: true, // if you do SSL outside of node.
saveUninitialized: true,
cookie: { secure: true, sameSite: "none" },
})
);
Upvotes: 3
Reputation: 91
Adding a "name" attribute to the session config worked for me:
{
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: true,
proxy: true, // Required for Heroku & Digital Ocean (regarding X-Forwarded-For)
name: 'MyCoolWebAppCookieName', // This needs to be unique per-host.
cookie: {
secure: true, // required for cookies to work on HTTPS
httpOnly: false,
sameSite: 'none'
}
}
Upvotes: 3
Reputation: 4067
Heroku uses reverse proxy. It offers https endpoints but then forwards unencrypted traffic to the website.
Try something like
app.enable('trust proxy')
And check out https://expressjs.com/en/guide/behind-proxies.html
Upvotes: 7
Related Questions
- Browser not storing session cookie from React XHR request from express-sessions ** updated config
- Why isn't the express session cookie being stored on the browser's cookie storage on production, but it works on localhost?? (express + react)
- Express-session Secure Cookies not working
- Express Session Cookie Not Being Set when using React Axios POST Request
- Why are Cookies Not Sent on Requests in MERN Application using Axios
- Cookie not set with express-session in production
- Nodejs sessions not persisting in production
- Node - Express - Session not working?
- NodeJS cookies don't work with sessions in Express 4
- express session management not working