session: unable to use secure cookies
I am trying to set secure cookies, it does not work at first try.
I am using
secret: sessionSecret,
resave: false,
saveUninitialized: true,
cookie: {
secure: true,
httpOnly: true,
domain: 'beintoo.net',
expires: expiryDate
}
I found function issecure relying on req.connection.encrypted here but it seems not supported anymore, see https://github.com/expressjs/express/issues/1864
Any hint?
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 1
- Comments: 23 (10 by maintainers)
Commits related to this issue
- Add link to #281 about setting secure cookie on nginx It's a common problem, for setting up secure cookies on nginx. At least for first timers. So I thought maybe this small line might save someone ... — committed to albacoretuna/session by omidfi 8 years ago
- Merge pull request #1 from omidfi/omidfi-patch-1 Add link to #281 about setting secure cookie on nginx — committed to albacoretuna/session by omidfi 8 years ago
Ah, should be able to get
proxy_set_header X-Forwarded-Proto https;added in there and it should be good to go?I had some trouble with this as well. By turning on
cookie: { secure: true },proxy: true,app.set('trust proxy', true), andproxy_set_header X-Forwarded-Proto $scheme;in the nginx proxy, I’ve gotten HTTPS cookies to work.Here’s a snip of my app:
And my nginx configuration:
I had the same issue and just want to thank you for helping clarify matters.
proxy_set_header X-Forwarded-Proto https;is what I was missing from my nginx config to enable secure cookies. I used it along withapp.set('trust proxy', true)proxy: true,andcookie: { secure: true }Thanks!
No problem. I think for issues like this, we can get some more information added to the README, like what the headers the secure stuff is looking for and maybe even links to configuring Apache/nginx. Since This uses the same headers that Express wants for the proxy configuration, if we get examples Apache/nginx configurations added to the exressjs.com website, we could link there from here. I think that would end up helping a lot 😃
@dougwilson thank you very much for your support. It is thanks to people like you that internet was born. I hope you can have a lot of satisfaction from your future projects.
Hi @fibo, what version of Express are you using? Have you tried adding the
app.set('trust proxy', 1)to your code like in our example?@BlackRoman strongly agree. This took three hours of my time to get to the bottom of…
I working with express-server started as Azure Node web application behind IIS inside iframe of another domain 😃)) The session cookie works fine if
a)
app.set('trust proxy', true);b)app.use( session({ <...another session oprions>, cookie: { secure: true, sameSite: 'none' } })And to be clear: I would not like to add docs for how to configure NGINX or similar, as the configuration can vary by all kind of things (as can even be seen in this thread) and documenting how to configure 3-rd party systems is beyond the scope of the README in this module. At best, maybe the proxy section on expressjs.com, but that would more be up to the expressjs.com docs team. The configuration of NGINX and proxies is not specific to this module, especially since it uses the Express mechanism to read the values.
@tagiles it’s safer not to just use true in the value of trust proxy please see the details.
Hi @fibo, is your Express server even listening on a SSL socket (
https.createServer(app, options)) or are you terminating your SSL with a reverse proxy in front of your Node.js app?