Cookies and SameSite + Secure - ExpressJS

javascript node.js express cookies

28,796

Solution 1

Documentation Link: https://www.npmjs.com/package/express-session#cookiesamesite

The below code will solve your issue. This is also recommended going forward.

const express = require('express');
const session = require('express-session');
const app = express();

const sessionConfig = {
  secret: 'MYSECRET',
  name: 'appName',
  resave: false,
  saveUninitialized: false,
  store: store,
  cookie : {
    sameSite: 'strict', // THIS is the config you are looing for.
  }
};

if (process.env.NODE_ENV === 'production') {
  app.set('trust proxy', 1); // trust first proxy
  sessionConfig.cookie.secure = true; // serve secure cookies
}

app.use(session(sessionConfig));

In your case, set sameSite to 'none'

In case you are wondering what is store? I am using my database as storage for all the cookies. It's not relevant to the question asked by OP. Just added as pointed by @klevis in the comment. Here's the code:

const KnexSessionStore = require('connect-session-knex')(session);
const store = new KnexSessionStore({
  tablename: 'session',
  knex: kx,
  createtable: false
});

Edit 1: Fixed issue pointed out by CaptainAdmin
Edit 2: Added store definition.

Solution 2

You can set these options without using any node package.. With Express Only Like this:

app.get('/', (req,res)=>{
    //.....Other Code
    res.cookie('cookieName', 'cookieValue', { sameSite: 'none', secure: true})
    //.....Other Code
})

Solution 3

As far I kwon, this is a warning about new implementation for chrome in the future

samesite option on cookies: Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax with the additional behavior that they will still be included in POST requests to ease the transition for existing sites.

Any further information: https://www.chromium.org/updates/same-site

If you desire to test your web page, this article explains how to set Chrome flags for testing. If your page stops working you have to check all request and see for "http://" to "https://" updates or check third-party cookies

28,796

Author by

Eric E

Electronics / Programming Student. Experience with Embedded Systems / Software and Electronics.

Updated on July 09, 2022

Comments

Eric E almost 2 years

The following warning is being shown in the console, even though I have the following settings on my express application. Has anyone seen this error before? My search brought me to https://github.com/expressjs/express/issues/3095

I am also using express : 4.17.1

let COOKIE_OPTIONS = { httpOnly: true, sameSite: 'None', secure: true };

A cookie associated with a cross-site resource at http://MYURL.URL was set
without the `SameSite` attribute. A future release of Chrome will only deliver 
cookies with cross-site requests if they are set with `SameSite=None` and 
`Secure`. You can review cookies in developer tools under 
Application>Storage>Cookies and see more details at 
https://www.chromestatus.com/feature/5088147346030592 and 
https://www.chromestatus.com/feature/5633521622188032.

When doing a request using Insomia (Postman) I see the following

access_token=someToken; 
Path=/; 
HttpOnly; 
Secure; 
SameSite=None

CaptainZero over 4 years

There is no property like sameSite for session config, it's for cookie
Adarsh Madrecha over 2 years

@CaptainZero have fixed the same. Thanks for pointing out.