Why cookie set without secure flag
astranavt opened this issue · comments
Anton commented
example:
app.use(cookieSession({
name: 'session',
keys: ['key1', 'key2'],
cookie: { secure: true,
httpOnly: true,
domain: 'localhost',
path: '/',
expires: expiryDate
}
})
);
Douglas Wilson commented
Cannot reproduce the issue. See reproduction steps attempted below. Please provide a follow up in the form of either (1) a pull request with the fix for your specific use-case or (2) a detailed reproduce case similar to what I did that demonstrates the issue.
$ npm i express cookie-session pem
+ express@4.16.3
+ cookie-session@2.0.0-beta.3
+ pem@1.13.0
added 67 packages from 55 contributors and audited 136 packages in 2.527s
found 0 vulnerabilities
$ cat app.js
var https = require('https');
var cookieSession = require('cookie-session');
var express = require('express');
var pem = require('pem');
var app = express();
app.use(cookieSession({
name: 'session',
keys: ['key1', 'key2'],
cookie: { secure: true,
httpOnly: true,
domain: 'localhost',
path: '/'
}
})
);
app.get('/', function (req, res) {
req.session.visited = true;
res.end();
})
pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
if (err) throw err;
https.createServer({ key: keys.serviceKey, cert: keys.certificate }, app).listen(3000, function () {
console.log('curl -ik https://localhost:3000/');
});
});
$ node app.js &
[1] 29140
curl -ik https://localhost:3000/
$ curl -ik https://localhost:3000/
HTTP/1.1 200 OK
X-Powered-By: Express
Set-Cookie: session=eyJ2aXNpdGVkIjp0cnVlfQ==; path=/; secure; httponly
Set-Cookie: session.sig=ecJM98jgtvn9moo-01OdV2AY8sE; path=/; secure; httponly
Date: Fri, 14 Sep 2018 18:54:17 GMT
Connection: keep-alive
Content-Length: 0
Anton commented
thanks