I have set secure flag to be true just for heroku (production environment) but it is not working. When I log in on heroku it does not treat me as if I am logged in because secure: true is not working. Following in my code:
app.use(session({
store: MongoStore.create({
mongoUrl: process.env.DATABASEURL,
secret: process.env.SECRET,
touchAfter: 24 * 60 * 60
}),
name: process.env.NAME,
secret: process.env.SECRET,
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
secure: process.env.BOOLEAN,
expires: Date.now() + 7 * 24 * 60 * 60 * 1000,
maxAge: 7 * 24 * 60 * 60 * 1000
}
}));
BOOLEAN is set true on heroku but still it is not working. Please help. I used proxy: true flag and with this I was able to log in both in development and production environment but this means that my adding proxy: true users can access the site via insecure connections as well, right? What to do please help.
Related
I'm using the following to configure my session on subdomain1.example.com:
const expressInstance = express();
expressInstance.use(
session({
secret: "my secret",
cookie: {
domain: '.example.com',
sameSite: 'none',
secure: true,
maxAge: 1000 * 60 * 60 * 48
}
})
);
expressInstance.set('trust proxy', 1);
Then I set it as:
res.cookie("cookie_name", "cookie_value")
I can see this cookie when I visit subdomain1.example.com but not when I visit example.com.
What am I missing? Isn't this a very common use case?
I use express-session with oauth library, but it seams there is some problem to save session data while interacting with oauth server
is there a way to identify possible session-saving problem?
I init a session in such way
app.set("trust proxy", 1)
app.use(session({
secret: 'secret',
resave: true,
saveUninitialized: true,
cookie:
{
secure: false, httpOnly:false,
sameSite: false,
maxAge: 30 * 24 * 60 * 60 * 1000,
}
}));
i try to debug code, but don't a source of problem
In my NodeJs / Express app, I'm using the standard session package and Passport to handle sessions and login. My problem is that the app kicks the user out after what feels like 10 minutes of inactiviy, and forces them to log-in again. My assumption is that it must be something to do with the session configuration, which with my limited understanding, I think is configured to allow 2 hours:
const session = require("express-session");
const PostgreSqlStore = require("connect-pg-simple")(session);
const sessionAge = 2 * 60 * 60 * 1000; // hour, min, sec, millisecond
var sessionConfig = {
name: "mysite",
secret: "verysecret",
resave: true,
saveUninitialized: false,
proxy: trustedTypes,
cookie: {
key: "cookieKey",
secure: true,
sameSite: false,
httpOnly: true,
maxAge: sessionAge,
},
store: new PostgreSqlStore({
pgPromise: db,
ttl: 2 * 60 * 60, //Hours, minute, seconds
}),
};
app.use(session(sessionConfig));
Is there anything I'm doing wrong, or is there something else I should be looking at to find the cause of this behavior?
store: new PostgreSqlStore({
pgPromise: db,
ttl: 2 * 60 * 60, //Hours, minute, seconds
})
I think your PostgreSQL store ttl property should be equivalent to maxAge property of session config
I've discovered that apparently although by default the session does get extended on the server, it won't send an updated cookie to the browser if nothing has changed in it. The missing property is the 'rolling' attribute.
var sessionConfig = {
rolling: true,
I am using this configuration for session:
app.use(session({
secret: config.cookieSecret,
resave: true,
saveUninitialized: true,
store: sessionStore, //MongoStore
key: 'sid',
cookie: {
name: 'sid',
path: '/',
maxAge: 1000 * 60 * 60 * 5 // 5h
}
}));
It works fine in Chrome and Firefox (session id remains the same) but Safari somehow manages to create a new session id for each request. Is there any other way to handle this.
I set up the session maxAge of express like documented.
Here is my code:
app.use(session({
secret: process.env.SESSION_SECRET,
saveUninitialized: true,
resave: true,
maxAge: 1000* 60 * 60 *24 * 365,
store: new MongoStore({mongooseConnection:mongoose.connection})
}));
But every time I close the browser, I find myself logged out.
Also, note that I am using Passport local, facebook, and google authentications.
They all expire.
In the console, I can see that the connect.sid in the expires/maxAge section lists "Session" while other cookies have dates...
What am I doing wrong?
you need to configure your express-session, and set maxAge on session-cookie
app.use(express.session({
cookie : {
maxAge: 1000* 60 * 60 *24 * 365
},
store : new MongoStore({mongooseConnection:mongoose.connection})
});
//.....
app.use(passport.session());