expressjs/session

Set Cookie Cross Site

fiwz opened this issue · 1 comments

fiwz commented

Hello

Thank you in advance for creating this package

I have issue in my login feature, the session is not set in frontend area
The backend hosted in (example) mybackend.com and frontend is hosted in myfrontend.com

Here I attach my express code:
`
app.set('trust proxy', 1);

const sessionMiddleware = session({
store: new RedisStore({
client: redisClient
}),
secret: 'keyboard cat',
saveUninitialized: true,
resave: true,
proxy: true,
cookie: {
secure: true,
sameSite: 'none',
httpOnly: false,
}
});

app.use(function(req,res,next){
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header("Access-Control-Allow-Headers", "Accept, Origin, Content-Type, Authorization, X-Requested-With, Cookie, Set-Cookie");
res.header('Access-Control-Allow-Credentials', 'true');
res.header('set-cookie', 'mycookie=example; SameSite=None; Secure');

next();

});

app.use(sessionMiddleware);
`

I use apache servers and add this line, but it seems like it is not affected
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

Refferenced issue: #769

Only the mycookie is set
Result:
result

Is there any way to solve the cross site issue?
Thank you

fiwz commented

When we debug the package, we found that even we set and try to set the cookie.secure to true, it is still received that cookie.secure = false. Even the express and both of website running over https.

I will close this case now