Description
When session (import session from "express-session") is inited as follows the cookie is not set when sessionSecure (alias session) is set to true (boolean value). In case set to boolean false, undefined, "auto" the cookie is set as expected.
app.use(
session({
secret: MY_SECRET,
resave: true,
saveUninitialized: false,
store: cosmosStore,
unset: "destroy",
rolling: true,
cookie: {
//maxAge: 8*60*60*1000
maxAge: Number(SESSION_MAX_AGE_MSEC),
sameSite: sessionSameSite,
secure: sessionSecure
},
})
);
NOTE: sessionSameSite can be set to none, lax, strict.
True value is fundamental, as in Chrome v.124 when sameSite=none attribute Secure must be specified in order for the cookie to be accepted, elsewhere it is rejected by the browser.
Below the 2 extract from the network tab taken from Chrome when sameSite=none and
(1) sessionSecure=auto (cookie is set but rejected by the browser because Secure is missing in setCookie header
(2) sessionSecure=true (cookie is not set)
Originating browser request is always the same, when such request is handled custom properties are injected into session and the session is saved within the store:
POST /apis/login HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6,de-AT;q=0.5,de;q=0.4,fr-FR;q=0.3,fr;q=0.2,pt-PT;q=0.1,pt;q=0.1,es;q=0.1,cs;q=0.1
Connection: keep-alive
Content-Length: 151
Content-Type: application/json
Host: ********
Origin: https://*******
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
(1)sessionSecure='auto'
HTTP/1.1 200 OK
Content-Length: 62615
Content-Type: application/json; charset=utf-8
Date: Mon, 06 May 2024 15:51:20 GMT
ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None
Strict-Transport-Security: max-age=15552000; includeSubDomains
request-context: appId=cid-v1:
Content-Security-Policy: default-src 'self';script-src 'self'
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
(2)sessionSecure=true
HTTP/1.1 200 OK
Content-Length: 62615
Content-Type: application/json; charset=utf-8
Date: Mon, 06 May 2024 15:45:38 GMT
ETag: W/"f497-DC237HLESdsoKpg0BOcS77utp2k"
Strict-Transport-Security: max-age=15552000; includeSubDomains
request-context: appId=cid-v1:
Content-Security-Policy: default-src 'self';script-src 'self'
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
For case (2) we expected to see added to the headers above the following:
Set-Cookie: connect.sid=s%3AYr4n7FWirW3iDQF0rwfxI_C159519wzS.h59j4Z8UODeg1fj4gakBx2vq489%2BAJBazKdVZfMPFnQ; Path=/; Expires=Mon, 06 May 2024 16:01:20 GMT; HttpOnly; SameSite=None; Secure