cookie-session Forward opts.secure to the `cookies` library to prevent silent error

Forward opts.secure to the `cookies` library to prevent silent error

Open wille opened this issue 1 year ago • 0 comments

If express thinks you are running over an unsecure connection, like when X-Forwarded-Proto is http, cookie-session will silently fail to set the session cookie (unless debugging is turned on)

This PR forwards options.secure to the cookies library.

I accidentally changed how my NGINX sends x-forwarded-* headers ,and even though it was running behind HTTPS, nginx would send the X-Forwared-Proto: http header and sessions on my site would start to fail completely, resuting in a big outage for users.

Code that fails

Cookies.prototype.set = function(name, value, opts) {
  // ...
  var secure = this.secure === undefined
    ? req.protocol === 'https' || isRequestEncrypted(req)
    : Boolean(this.secure)

  // ...

  if (!secure && opts && opts.secure) {
    throw new Error('Cannot send secure cookie over unencrypted connection')
  }

Oct 28 '24 10:10 wille

cookie-session cookie-session copied to clipboard

Forward opts.secure to the `cookies` library to prevent silent error

cookie-session
cookie-session copied to clipboard