The Problem is shows up on the paid server or when I change the server default domain to my domain.
That's My Code:
app.use(helmet.contentSecurityPolicy({
useDefaults: true,
defaultSrc: ["'self'"],
directives: directives,
scriptSrc: scriptSources,
scriptSrcElem: scriptSources,
styleSrc: styleSources,
contentTypes: contentTypes,
connectSrc: connectSources,
reportUri: "/report-violation",
reportOnly: false,
safari5: false,
}));
app.use(noCache());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());
app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
app.use(bodyParser.urlencoded({ extended:
true }));
app.use(express.json());
app.use(device.capture({ parseUserAgent: true
}));
app.disable('x-powered-by');
app.use(helmet.frameguard());
app.use(helmet.ieNoOpen());
app.use(helmet.hsts({
maxAge: 3600000,
includeSubDomains: true,
force: true,
}));
app.use(cookieParser());
app.use(
session({
name: uuidv4(),
secret: process.env.SERET,
resave: true,
cookie: {
sameSite: true,
secure: true,
maxAge: 3600000,
},
saveUninitialized: false,
store: MongoStore.create({
mongoUrl: process.env.dburl,
//MONGODB URL
ttl: 24 * 60 * 60,
autoRemove: 'native'
}),
})
);
app.use(compression());
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
When I Click Login It's Redirect My To Login Page But Without Any Session.
Note: It's Working So Fine On Localhost!.
Please Help.
Best Regards,
Raqeeb Al-Nakib
I solve the problem by changing the session config as follow:
app.use(session({
name: uuidv4(),
secret: process.env.SERET,
resave: false,
proxy: true, // Set This To True
cookie: {
sameSite: true,
secure:true, // Set this to True
httpOnly: true,
maxAge: 3600000,
},
saveUninitialized: false,
store: MongoStore.create({
mongoUrl: process.env.dburl, //MONGODB URL
ttl: 24 * 60 * 60,
autoRemove: 'native'
}),
})
Related
I'm using Redis Store to store my sessions since I use a serverless backend, and I'm running into problems to set my cookie.
My frontend and backend currently run on 2 different domains, and this is how I configured my session management:
app.use(json());
app.use(
session({
store: new RedisStore({ client: redisClient }),
secret: options.sessionSecret,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === 'PROD' ? true : 'auto',
httpOnly: true,
maxAge: 1000 * 60 * 60 * 24 * 7,
sameSite: process.env.NODE_ENV === 'PROD' ? 'none' : 'lax',
},
})
);
As said, the issue occurs when I'm in production, when I'm in development my cookie generates as expected.
Is my session configuration incorrect? Or missing something?
TIA!
As #Brijesh mentioned, we should set a property to trust the proxy:
app.set('trust proxy', 1)
app.use(json());
app.use(
session({
store: new RedisStore({ client: redisClient }),
secret: options.sessionSecret,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === 'PROD' ? true : 'auto',
httpOnly: true,
maxAge: 1000 * 60 * 60 * 24 * 7,
sameSite: process.env.NODE_ENV === 'PROD' ? 'none' : 'lax',
},
})
);
I am having the hardest time sending cookies from my nodejs server to my browser. Below is my index.js (server side) code:
app.use(express.json());
app.use(express.urlencoded({ extended: true }))
app.use(
cors({
origin: "http://localhost:3000",
methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
credentials: true
})
);
let port = process.env.PORT;
if (port == null || port == "") {
port = 5000;
}
mongoose.connect(process.env.ATLAS_URI).then(console.log("MongoDB Connection Success")).catch(err => console.log("MongoDB Connection Failed" + err))
app.use(session({
secret: 'random secret',
resave: false,
saveUninitialized: false,
// store: MongoStore.create({ mongoUrl: process.env.ATLAS_URI }),
cookie: {
expires: 7 * 24 * 6 * 60 * 1000,
secure: false,
},
}));
app.use(cookieParser())
app.use(passport.initialize())
app.use(passport.session())
app.use("/auth", auth)
I know a cookie is being created when i authenticate a user because if i uncomment out the store in app.use(session({...}) i see session IDs and cookies in my mongodb. But how can I send it to the browser?
try this config for the session options.
my version of express-session is "^1.17.2"
app.use(session({
name: 'random name',
resave: false,
saveUninitialized: false,
secret: 'random secret',
store: MongoStore.create({
mongoUrl: config.DatabaseUrl,
ttl: 14 * 24 * 60 * 60 // = 14 days. Default
})
}));
if this config does not work, check your passport authenticate function that set session true like the below example :
passport.authenticate('local.register', {session: true}, (err, user): void => {
// When res has an Error
if (err) return res.redirect('/auth/register');
return res.redirect('/');
})(req, res);
My MERN project work well on my local but when I deployed it I get 401 error while fetching user. Heroku doesn't set client-side cookie. Then I have searched on google first ı change my cookie-session to express-session and some other configuration and still, it doesn't work on Heroku.
https://github.com/olcaykaplan/passport_google
cors:
app.use(
cors({
origin: "http://localhost:3000",
credentials: true,
methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
allowedHeaders: ['Content-Type', 'Authorization']
})
);
express session:
app.use(
express.session({
secret: "secret",
resave: false,
saveUninitialized: true,
store: sessionStore,
proxy: true,
cookie: {
httpOnly:true,
secure: true,
maxAge: oneDay,
},
})
);
if your client side work on local,
change secure value to false, remove proxy and sameSite
The project was working fine with the following cors and session information
app.use(
cors({
origin: "netlify url",
credentials: true,
methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
allowedHeaders: ['Content-Type', 'Authorization']
})
);
const oneDay = 1000 * 60 * 60 * 24; // Equals 1 day (1 day * 24 hr/1 day * 60 min/1 hr * 60 sec/1 min * 1000 ms / 1 sec)
app.use(cookieParser("secret"));
app.use(
express.session({
secret: "secret",
resave: false,
saveUninitialized: true,
store: sessionStore,
proxy: true,
cookie: {
sameSite:"none",
//path: "/",
httpOnly:true,
secure: true,
maxAge: oneDay,
},
})
);
Session initialize in express.js also used passport.js for local-authentication which is working fine. But the session/cookie is not working
app.use(serveStatic(__dirname + '../../dist'));
mongoose.connect(config.database, function(err){
if(err) console.log(err);
console.log('Connected to DB');
})
app.use(cors({
origin:['http://localhost:8080'],
credentials: true // enable set cookie
}));
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(cookieParser()); // read cookies (needed for auth)
app.use(bodyParser.urlencoded({ 'extended': 'false' }));
// required for passport
require('./config/passport')(passport); // pass passport for configuration
app.use(session({
secret: config.secret,
resave: true,
saveUninitialized: true,
cookie: { secure: true }
}));
// session secret
app.use(passport.initialize());
app.use(passport.session()); // persistent login sessions
Get request with axios is below
axios.get(this.url + '/user', {withCredentials: true})
.then(response => {
console.log(response);
})
.catch(e => {
this.errors.push(e)
})
Refer tutorial to store sessions or cookies using passport.js and express.js
app.use(session({
secret: config.secret,
resave: true,
saveUninitialized: true,
cookie: { secure: true }
}));
instead of this try:
app.use(express.session({
secret: config.secret,
resave: true,
saveUninitialized: true,
cookie: { secure: true }
}));
app.use(passport.session());
I have the same problem that these questions but in NodeJS:
different session with url's with-www and without-www
Same URL without www different session
If I write domain.com is a different session that www.domain.com ... Why?
It's for some domain rule?
I share here my cookie in express:
app.use(session({
saveUninitialized: true,
resave: true,
secret: config.sessionSecret,
cookie: {
maxAge: 15778476000,
httpOnly: true,
secure: false
},
key: 'sessionId',
store: new mongoStore({
db: db.connection.db,
collection: config.sessionCollection
})
}));
Thank you!