Tuesday, 1 September 2020

Express JS/ Node JS : Browsers are not setting cookie when secure=true, sameSite: 'none'

it sets the cookie if I run the server locally, but when it is hosted online :

  1. If secure=false, sameSite: 'none' then I get the following error

Cookie “connect.sid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

then I tried with secure=true

  1. if secure=true, sameSite: 'none' then I know it's supposed to work,

it works and the cookies are set when the server is hosted locally. But when it is hosted in heroku the cookie are not set, and I get no error.

It seems as if the client website is not secure but it shows https in the url box

What am I doing wrong here?

session config:

router.use(
    session({
        cookie: {
            secure: true,
            maxAge: 86400,
            sameSite: "none",
        },
        secret: process.env.SESSION_SECRET,
        resave: false,
        saveUninitialized: false,
    })
);

note : I have already enabled cors with credentials set to true The cookies tab was empty in the XHR cookies tab Front-end and Back-end are hosted separately in heroku XMLHttpRequest is used to send post request with withCredentials set to true.

XHRPOSThttps://sih-drs-prototype-backend-2.herokuapp.com/api/outrages/login [HTTP/1.1 200 OK 1625ms]

POST https://sih-drs-prototype-backend-2.herokuapp.com/api/outrages/login Status200 OK VersionHTTP/1.1 Transferred367 B (2 B size)

Access-Control-Allow-Credentials
    true
Access-Control-Allow-Origin
    https://tempautocomplete.herokuapp.com
Connection
    keep-alive
Content-Length
    2
Content-Type
    application/json; charset=utf-8
Date
    Sun, 12 Jul 2020 14:06:42 GMT
Etag
    W/"2-vyGp6PvFo4RvsFtPoIWeCReyIC8"
Server
    Cowboy
Vary
    Origin
Via
    1.1 vegur
X-Powered-By
    Express
    
Accept
    */*
Accept-Encoding
    gzip, deflate, br
Accept-Language
    en-US,en;q=0.5
Connection
    keep-alive
Content-Length
    46
Content-Type
    application/json;charset=UTF-8
Host
    sih-drs-prototype-backend-2.herokuapp.com
Origin
    https://tempautocomplete.herokuapp.com
Referer
    https://tempautocomplete.herokuapp.com/static/
User-Agent
    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0


from Express JS/ Node JS : Browsers are not setting cookie when secure=true, sameSite: 'none'
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)