Skip to content

express-session connect.sid trips application gateway's "SQL Hex Encoding Identified" rules #1095

New issue
New issue
Open
Open
express-session connect.sid trips application gateway's "SQL Hex Encoding Identified" rules#1095
Labels
question
@rpiening

Description

@rpiening
rpiening
opened on Dec 16, 2025

Hi all,
Our ExpressJS app uses express-session to set a session cookie:

    expressSession({
      secret: process.env.CLIENT_SECRET,
      resave: false,
      rolling: true,
      saveUninitialized: true,
      store: new PGSessionStore(),
      cookie: {
        secure: process.env.ENV==='production'
        httpOnly: false, 
        maxAge: 1000 * 60 * 10,
      },
    })
  )

However, our application gateway blocks some requests to the app because of the generated 'connect.sid'. Specifically, it spits out a "SQL Hex Encoding Identified" message based on its regex rules against SQL injections. Given that the sid is randomly generated, this isn't too surprising - but I can find surprisingly little discussion of this problem online and I'm looking for some guidance on this matter.

What are your thoughts on this issue? Do you have any recommendations on the best genid to use in this case without compromising on security?

Metadata

Metadata

Assignees

No one assigned

    Labels

    question

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions