I am trying to use express-session with the Windows IIS server, but I am not receiving cookies at the frontend, I set the following configuration for express-session. Please help me if anyone knows the issue. In localhost, it is working fine.
app.use(session({
genid: function(req) {
return v4() // use UUIDs for session IDs
},
store: new MemoryStore({
checkPeriod: 60 *60000 // prune expired entries every 60 minutes
}),
resave:true,
saveUninitialized:false,
proxy: true,
secret: 'abcdef',
rolling:true,
cookie:{ httpOnly: true, sameSite:"none", secure:true, maxAge:20 * 60000} //20 minutes
}))
Related
I am following Ben Awad full stack tutorial with same stack (
React
TypeScript
GraphQL
URQL/Apollo
Node.js
PostgreSQL
MikroORM/TypeORM
Redis
Next.js
TypeGraphQL
Chakra
)
But newer versions (the video was 2 years old), in 2:59:59, according to the video, when we make a register request through browser(client side) the qid cookies was supposed to get sent automatically but it doesn't work for me. Things work fine when I make request through my server (localhost port 5000, redirect to https://studio.apollographql.com/sandbox/explorer) but when it come to browser I successfullyy register the user but the cookies was not saved.
Here is the code I built in my server to set the cookies (redis connected):
app.use(
cors({
origin: ["http://localhost:3000", "https://studio.apollographql.com"],
credentials: true,
})
)
app.set("trust proxy", true);
app.use(
session({
name: "qid",
store: new RedisStore({ client: redisClient, disableTouch: true }),
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 365 * 10, //10 years
httpOnly: false,
sameSite: "none",
secure: true, // cookie only works in https
},
saveUninitialized: false,
secret: "123456789",
resave: false,
})
);
Thanks guys and I appreciate you guys a lot.
I solved it: set sameSite: 'none' when you want to save cookie through sandbox and lax when you want to save it with browser.
I've been researching this for hours now. What could be the reason why the cookies are not being saved in the browser? I'm using express-session. Below are the pieces of code I'm using.
const app = express();
// CORS config
app.use(cors({
origin: process.env.API_URL,
credentials: true,
optionsSuccessStatus: 200
}));
app.use(cookieParser());
// Where the sessions are stored
const MongoDBStore = new MongoDBSession({
uri: process.env.MEDIRECORDS_URI,
collection: "sessions"
})
app.set("trust proxy", 1);
const oneDay = 1000 * 60 * 60 * 24;
app.use(session({
name: "irmp_session",
secret: process.env.AWS_SESSION_KEY,
resave: false,
saveUninitialized: false,
maxAge: 7200000, // 2 hrs validity
store: MongoDBStore,
cookie: {
path: '/',
sameSite: false,
secure: false,
maxAge: oneDay
}
}))
When I try to login using the frontend, the login is successful, the session is stored in the database. However, when I check the cookie storage, it is empty.
After spending hours of researching, I learned that this is due to Chrome's cookie updates. Here is what the update is all about.
As the link states, for a cookie to be saved in Chrome and if it is really needed to set the sameSite to none, developers should set the secure option to be true. Default value of sameSite if not set is lax.
Hope this helps anyone who might encounter the problem.
If anyone here uses heroku or render.com for free, I added all the answers above but it is still not working. I have tried another solution here which is add app.set("trust proxy", 1); before app.use(session(sessionSettings)) and it now saves cookie to different browsers.
Thank you so much for sharing it. I was stack on this for 2 days now, in localhost things worked perfectly, but after deploy my MERN app in differents servers, cookie stoped working...
using express-session:
app.use(session({
.......
.......
cookie:{
maxAge: 24*60*60*1000, //please change it based on your needs
secure: app.get('env') === 'production'?true:false,
sameSite: 'none'
}}));
this will solve the problem!!
My problem is, that the Frontend doesn't receive the session. Even though the session is stored in my database its not working. This problem only occurs when I use Heroku, locally it's working. I tried already a lot of solutions but none of them were working for me.
I hosted my frontend on Netlify with React and all of my backend is on Heroku.
app.set("trust proxy", 1);
app.use(
session({
key: "userId",
proxy: true,
secret: "verySecureSecret123",
resave: false,
saveUninitialized: false,
store: sessionStore,
cookie: {
secure: true,
expires: 60 * 60 * 24 * 30,
},
})
);
I decided to use express session instead of cookie session so that I can use the rolling option which is only available in express session that allows me to only sign out users based on inactivity.
Here is my setting:
app.use(session({
secret: [keys.session.secret],
cookie: {
path: '/',
httpOnly: true,
secure: false,
maxAge: 1200000 //20 minutes
},
rolling: true,
resave:true,
saveUninitialized:true
}));
I have set the maxAge to 20 minutes but I keep on getting signed out every 3-4 minutes and I am not sure why
To make my webapp ready for production, I wanted to set the session cookie property "secure" from false to true.
The app is hosted by Aws and is built like this:
Route53 -> CloudFront -> ELB (no cluster, only SingleApp)
CloudFront is used to make the app accessible via SSL. The Nodejs app listens on an HTTP port.
Unfortunately the SessionCookie is not set.
If I set secure to false, the login works and the session cookie is set. So it only seems to depend on this property.
I also set "trust proxy" to true, but unfortunately without success.
Express.js:
const ExpressApp=express();
ExpressApp.set("trust proxy", (ip)=>{
return true;
});
...
session:
const expiryDate = new Date( Date.now() + 60 * 60 * 1000 ); // 1 hour
return session({
genid: (req) => {
return uuid() // use UUIDs for session IDs
},
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: true,
proxy:true,
store: new MongoStore({ mongooseConnection: mongoose.connection }),
rolling: true,
cookie:{
secure:true,
httpOnly:true,
expires: expiryDate
}
})
CloudFront:
https://pasteboard.co/Ib9mTED.png