Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set-Cookie not added in response headers when secure=true (boolean value) #983

Open
domcolella opened this issue May 6, 2024 · 4 comments
Open

Set-Cookie not added in response headers when secure=true (boolean value) #983

domcolella opened this issue May 6, 2024 · 4 comments
Labels
bug

Comments

@domcolella
Copy link

When session (import session from "express-session") is inited as follows the cookie is not set when sessionSecure (alias session) is set to true (boolean value). In case set to boolean false, undefined, "auto" the cookie is set as expected.

app.use(
  session({
    secret: MY_SECRET,
    resave: true,
    saveUninitialized: false,
    store: cosmosStore,
    unset: "destroy",
    rolling: true,
    cookie: {
      //maxAge: 8*60*60*1000
      maxAge: Number(SESSION_MAX_AGE_MSEC),
      sameSite: sessionSameSite, 
      secure: sessionSecure 
    },
  })
);

NOTE: sessionSameSite can be set to none, lax, strict.
True value is fundamental, as in Chrome v.124 when sameSite=none attribute Secure must be specified in order for the cookie to be accepted, elsewhere it is rejected by the browser.
Below the 2 extract from the network tab taken from Chrome when sameSite=none and
(1) sessionSecure=auto (cookie is set but rejected by the browser because Secure is missing in setCookie header
(2) sessionSecure=true (cookie is not set)

Originating browser request is always the same, when such request is handled custom properties are injected into session and the session is saved within the store:
POST /apis/login HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6,de-AT;q=0.5,de;q=0.4,fr-FR;q=0.3,fr;q=0.2,pt-PT;q=0.1,pt;q=0.1,es;q=0.1,cs;q=0.1
Connection: keep-alive
Content-Length: 151
Content-Type: application/json
Host: ********
Origin: https://*******
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

(1)sessionSecure='auto'
HTTP/1.1 200 OK
Content-Length: 62615
Content-Type: application/json; charset=utf-8
Date: Mon, 06 May 2024 15:51:20 GMT
ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None
Strict-Transport-Security: max-age=15552000; includeSubDomains
request-context: appId=cid-v1:
Content-Security-Policy: default-src 'self';script-src 'self'
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

(2)sessionSecure=true
HTTP/1.1 200 OK
Content-Length: 62615
Content-Type: application/json; charset=utf-8
Date: Mon, 06 May 2024 15:45:38 GMT
ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Strict-Transport-Security: max-age=15552000; includeSubDomains
request-context: appId=cid-v1:
Content-Security-Policy: default-src 'self';script-src 'self'
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

For case (2) we expected to see added to the headers above the following:
Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None; Secure
@domcolella domcolella added the bug label May 6, 2024
@pcvengros
Copy link

pcvengros commented May 7, 2024
edited

I have the same issue except for me it's like this (same code, different subdomain):

  • when "https://subdomain.domain.com" is used, session.cookie.secure=true => all works, cookie is set for client, Set-Cookie header is present
  • when "https://subdomain1.subdomain2.domain.com" is used, Set-Cookie header is not sent at all when session.cookie.secure=true
  • when session.cookie.secure=false => the Set-Cookie header is set and cookies are properly set on client side

the session.cookie.httpOnly is set to false, path is "/"

@darcy521
Copy link

darcy521 commented May 7, 2024

I have encountered the same issue while using express-session and there might be a solution here:
#958 (comment)

@pcvengros
Copy link

I have encountered the same issue while using express-session and there might be a solution here: #958 (comment)

it's a solution but it's not :) patching installed modules in node_modules is bad bad practice :)

@KubaZachacz
Copy link

KubaZachacz commented May 14, 2024
edited

I thought it didn't work for me either after uploading it to the server, and I wasted a lot of time on it, but it turns out that this is an important part of the documentation:
If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express:
app.set('trust proxy', 1) // trust first proxy
might really help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pcvengros @KubaZachacz @darcy521 @domcolella