session icon indicating copy to clipboard operation
session copied to clipboard

Published 20 hours ago verified publisher icon expressjs

Set-Cookie not added in response headers when secure=true (boolean value)

Open domcolella opened this issue 9 months ago • 4 comments

When session (import session from "express-session") is inited as follows the cookie is not set when sessionSecure (alias session) is set to true (boolean value). In case set to boolean false, undefined, "auto" the cookie is set as expected.

app.use(
  session({
    secret: MY_SECRET,
    resave: true,
    saveUninitialized: false,
    store: cosmosStore,
    unset: "destroy",
    rolling: true,
    cookie: {
      //maxAge: 8*60*60*1000
      maxAge: Number(SESSION_MAX_AGE_MSEC),
      sameSite: sessionSameSite, 
      secure: sessionSecure 
    },
  })
);

NOTE: sessionSameSite can be set to none, lax, strict. True value is fundamental, as in Chrome v.124 when sameSite=none attribute Secure must be specified in order for the cookie to be accepted, elsewhere it is rejected by the browser. Below the 2 extract from the network tab taken from Chrome when sameSite=none and (1) sessionSecure=auto (cookie is set but rejected by the browser because Secure is missing in setCookie header (2) sessionSecure=true (cookie is not set)

Originating browser request is always the same, when such request is handled custom properties are injected into session and the session is saved within the store: POST /apis/login HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br, zstd Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6,de-AT;q=0.5,de;q=0.4,fr-FR;q=0.3,fr;q=0.2,pt-PT;q=0.1,pt;q=0.1,es;q=0.1,cs;q=0.1 Connection: keep-alive Content-Length: 151 Content-Type: application/json Host: ******** Origin: https://******* Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows"

(1)sessionSecure='auto' HTTP/1.1 200 OK Content-Length: 62615 Content-Type: application/json; charset=utf-8 Date: Mon, 06 May 2024 15:51:20 GMT ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k" Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None Strict-Transport-Security: max-age=15552000; includeSubDomains request-context: appId=cid-v1: Content-Security-Policy: default-src 'self';script-src 'self' Cross-Origin-Resource-Policy: same-origin Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0

(2)sessionSecure=true HTTP/1.1 200 OK Content-Length: 62615 Content-Type: application/json; charset=utf-8 Date: Mon, 06 May 2024 15:45:38 GMT ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Strict-Transport-Security: max-age=15552000; includeSubDomains request-context: appId=cid-v1: Content-Security-Policy: default-src 'self';script-src 'self' Cross-Origin-Resource-Policy: same-origin Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0

For case (2) we expected to see added to the headers above the following: Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None; Secure

domcolella avatar May 06 '24 19:05 domcolella

I have the same issue except for me it's like this (same code, different subdomain):

  • when "https://subdomain.domain.com" is used, session.cookie.secure=true => all works, cookie is set for client, Set-Cookie header is present
  • when "https://subdomain1.subdomain2.domain.com" is used, Set-Cookie header is not sent at all when session.cookie.secure=true
  • when session.cookie.secure=false => the Set-Cookie header is set and cookies are properly set on client side

the session.cookie.httpOnly is set to false, path is "/"

pcvengros avatar May 07 '24 07:05 pcvengros

I have encountered the same issue while using express-session and there might be a solution here: https://github.com/expressjs/session/issues/958#issuecomment-2094058887

darcy521 avatar May 07 '24 23:05 darcy521

I have encountered the same issue while using express-session and there might be a solution here: #958 (comment)

it's a solution but it's not :) patching installed modules in node_modules is bad bad practice :)

pcvengros avatar May 08 '24 04:05 pcvengros

I thought it didn't work for me either after uploading it to the server, and I wasted a lot of time on it, but it turns out that this is an important part of the documentation: If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express: app.set('trust proxy', 1) // trust first proxy might really help

KubaZachacz avatar May 14 '24 11:05 KubaZachacz