Giters

expressjs / cookie-session

Simple cookie-based session middleware

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cookie not set in response when setting secure:true

MWerk opened this issue · comments

commented

Hello,

When running the following app.js:

var cookieSession = require('cookie-session')
var helmet = require('helmet');
var express = require('express')

var app = express()

app.use(helmet());
var oneYearInSeconds = 31536000;
app.use(helmet.hsts({
  maxAge: oneYearInSeconds,
  includeSubDomains: true,
  force: true
}));

var expiryDate = Date.now() + 60 * 60 * 1000;
app.use(cookieSession({
  name: 'session',
  secret: '10dfaf09-cf6f-43a9-b40b-4eaacbcceb8a',
  maxAge: expiryDate,
  secure : true
  // secureProxy: true, // Deprecated when using 2.0.0-alpha. Says to use secure option but that stops passing on cookies. When set to true, the cookie is set to Secure. If commented out, cookie not set to Secure
}))

app.get('/', function (req, res, next) {
  // Update something in the session, needed for a cookie to appear
  req.session.views = (req.session.views || 0) + 1

  // Write response
  res.end(req.session.views + ' views')
})

app.listen(3000)

When I now curl it:
vagrant$ curl -c - -v http://localhost:3000/
Connected to localhost (127.0.0.1) port 3000 (#0)

GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: localhost:3000
Accept: /

< HTTP/1.1 200 OK
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-XSS-Protection: 1; mode=block
< Surrogate-Control: no-store
< Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536; includeSubDomains
< Date: Tue, 13 Dec 2016 11:27:37 GMT
< Connection: keep-alive
< Content-Length: 7
<
Connection #0 to host localhost left intact

You see no cookies are added nor set. When I comment out secure:true and set secureProxy : true, then a cookie is returned, you'll see something like:

#HttpOnly_localhost FALSE / TRUE 2961374488 session eyJ2aWV3cyI6MX0=
#HttpOnly_localhost FALSE / TRUE 2961374488 session.sig DJaPtrG-tmTnVr33fOWXqWGnVlw

See also my comment at the end of the secureProxy field.

Versions used:
node js: 6.7.0
express: 4.13.30
cookie-session: 1.2.0
helmet: 0.14.0

Am I doing something wrong? Or maybe it's helmet being in the way in some form? Update: nope, when commenting out the helmet parts, same behavior.

commented

We're having the same problem. Did you find anything regarding this matter by any chance @MWerk ?

commented

I need to expand the documentation directly in this module, but you can read more in the documentation in the underlying library that is setting the cookies: https://github.com/pillarjs/cookies#secure-cookies

The answer is that when you set secure: true, this module won't even produce a Set-Cookie response header if your connection to Node.js is not over TLS (which in @MWerk example, it is not over TLS).

If you are using Express, as @MWerk is, and you are terminating TLS somewhere above the Express Node.js instance, then you'll want to setup the trust proxy setting in Express such that it signals to the module that the connection is indeed over a TLS connection.