node.jsexpresscookie-session

Sometimes "cookie-session" cookies cannot be modified any more


I have a NodeJs Express server where I use the cookie-session module to keep a simple session in a browser cookie.

All works fine, except that sometimes (once every few weeks on my dev machine), I cannot modify the cookie any more, nor can I delete it, BUT I can still read it!

My cookie-session settings:

const options = {
  name: 'session',
  keys: ['some private constant string...'],
  maxAge: 400 * 24 * 60 * 60 * 1000, // 400 days
  path: '/',
  domain: '.mydomain.com', // Replaced by my real domain name
  sameSite: 'strict',
  secure: true,
  httpOnly: true,
  signed: true,
  overwrite: true,
};

The problem is that once it gets into that state, I cannot do much any more: the server controls the cookie in theory, but here, it cannot modify it. Even trying to get rid of it:

req.session = null

doesn't do anything.

The fact that the server still receives and decrypts that cookie is very confusing!

Clearing the cookie manually in the browser and restarting from scratch works just fine.

Do you see a way of debugging it? Worst case, could I get rid of this cookie on the browser side in Javascript (and how)?

I am using Chromium for my dev work.


Solution

  • The answer is really basic, and has nothing to do with cookie-session, just a stupid setup issue on my end.

    In prod, my domain is mydomain.com.

    In dev, my test setup uses local.mydomain.com.

    I did not change my cookie name, keys etc.. between prod and dev, which is a mistake. So if I was to open my prod site on my dev machine, I would end up with a prod session cookie that the dev server was also able to see, but somehow could not modify/delete. This would lead no very confusing session status etc.

    So all is good with cookie-session, the problem is just me using a subdomain of the prod one in dev!