Reputation: 5
express-session secure: true for production
app.use(session({
secret: SESSION_SECRET || 'default-secret',
resave: false,
saveUninitialized: true,
cookie: {
httpOnly: true,
secure: true //for production,
maxAge: 10 * 60 * 1000
}
}));
I'm working on some security problems on my newly developed web application. And after done some research online, if secure=true is set, then it will be more secure and it should be use for production only. However, If set secure: true, then information inside session will lose every time when the user send another request even in production as in production I am using https.Is there a way to solve this problem?
i tried secure: true //for production for production and also i am using https but it isn't working.
Upvotes: -1
Views: 36
Answers (3)
Reputation: 1
Setting httpOnly to false creates a vulnerability to XSS attacks; therefore, I do not recommend this solution.
Upvotes: 0
Reputation: 5
After some research i got fix to my problem. As in my code i am commenting the httpOnly:true which by default is true. so i have to define this as false not removing it from my code.
This works for me:
cookie:{
httpOnly:false,
secure:true
}
Upvotes: 0
Reputation: 1
If your application is running behind a reverse proxy (e.g., Nginx or Heroku), the Express application may interpret incoming HTTPS requests as HTTP. In this case, secure: true will prevent the session cookies from being sent.
app.set('trust proxy', 1);
Upvotes: 0
Related Questions
- express-session secure: true
- What is the --save option for npm install?
- Secure hash and salt for PHP passwords
- map function for objects (instead of arrays)
- Why is it common to put CSRF prevention tokens in cookies?
- How do I expire a PHP session after 30 minutes?
- Why is char[] preferred over String for passwords?
- How to avoid the server side session creation for every page
- How should I ethically approach user password storage for later plaintext retrieval?