session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon koajs

Secure cookie issue

Open imnaifu opened this issue 6 years ago • 1 comments

I'm using koa-session for a login service and found a problem when login from http://localhost.

Front-end app using http-proxy with the config like this

{
    "/api", {
      target: "https://test.com",
      changeOrigin: true
    }
}

so when the app is running at localhost:3000, it can sent ajax request to https://test.com but the problem is when login service send the response header with the set-cookie, the cookie has the secure option (I think probably detect that request is from https because the changeOrigin is set to true). And since i'm using http://localhost, the cookie is not saved (or send), so login is failed.

Currently I manually set secure: false in the config, is there a better way of fixing this?

imnaifu avatar Nov 28 '19 03:11 imnaifu

Yes, you can use secure: false, however you would need to change that on production. It's better to set up nginx to redirect traffic to your app so you work with https. Also you'll want to use a FQDN to avoid issues with cookies and CORS on development (like myapp.test), so just adding your test domain to /etc/hosts pointing to 127.0.0.1 or ::1 should do it.

ejose19 avatar May 04 '20 17:05 ejose19