Express module cookie-session not including SameSite and Secure in Response Set-Cookie
Seen this before here, but I've seen no real resolution. The server's Node Express express-session module OR cookie-session module sends back a Session Cookie, but as I had not coded in the SameSite/Secure attributes, they are not there and do the client on a subsequent POST to the server fails as Not Logged In, with a 403. As expected.
First, my client logs in to the server successfully:
Here is the corresponding server code, using express-session:
Which produced a Session Cookie via the Set-Cookie. NOTICE the SameSite='none' and Secure=true attributes were not included, and as expected, not there.
Now, I have added the sameSite and secure attributes to the session object and run the Login again.
Lets look at the Response Headers returned from this Login, with the attributes added to the session object. Not only do we not see the attributes on the Set-Cookie Response Header, but there is NO cookie returned!
It appears that when these 2 attributes are added to the session object in either express-session or cookie-session that the result is no cookie is returned. The meaning being that a subsequent POST to the server will return a 403, User Not Logged In.
I'm really stumped. I've spent a LOT of time on this! Thank you for ideas and help.
You seem to be misusing the cookie-session middleware. The cookieSession function takes an JavaScript object but the documentation doesn't mention any cookie field in that object.
Anything specified in a cookie field is ignored by the middleware and has no effect on the resulting cookie; the only reason your cookie ended up being flagged HttpOnly is that it's the middleware's default behaviour.
Instead, all the cookie attributes should be specified in a "flat" object, like so:
app.use(cookieSession({
name: 'session',
secret: secret,
domain: 'chicagomegashop.com',
sameSite: 'none',
secure: true,
httpOnly: true
}));
However, you have another issue. If I'm interpreting your screenshots correctly, you seem to attempt to set a cookie with a Domain attribute of chicagomegashop.com in a response from https://paylivepmt.com. That cannot work; browsers will ignore such a Set-Cookie response header:
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server.
- How to access cookies in Django TestCase request and responses?
- Unable to get Cookie value when Jotform redirects user to another page
- change Keycloak cookie domain to support the parent domain
- How can I set cookies using python requests
- Set cookie without escaping special characters
- Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url
- Remove grafana cookie for user logout API
- What is the next step after login for frontend? I am working with .NET 8 Blazor Web App InteractiveAuto
- Reactjs cient not receiving cookies from express server
- In Next, how can I access the JWT token from the cookie I am setting in my NestJS app?
- PHP cookie will not set until the page reloads TWICE. What's going on?
- Correct or set the cookie in jquery ajax request
- Remember choice of filter
- PHP setcookie for the entire domain name
- Spring -> React : cannot set-cookie in any ways
- looking for a demo of CHIPS cookie in action
- Conection and send cookie between multiple AppService - Azure
- Cookies on localhost with explicit domain
- Cookies missing in Chrome dev tools application tab but visible under network section
- PHP Cookie doesn't exist even before actually deleting it in Brave
- Understanding the concept and existence of third-party client-side cookies
- Will SameSite=None cookie be deprecated in the future?
- How can I send cookies using PHP curl in addition to CURLOPT_COOKIEFILE?
- PHP - Cookie can't be read after the page is refreshed
- xmlhttprequest and set-cookie & cookie
- Cookie is not working while redirecting in .NET 7
- Is the following a safe and correct way of using a cookie?
- Sending cookie with request from subdomain
- Adding a new cookie in ASP.NET Core 6
- How do I set a PHP cookie for one second or a short period of time?