Cookies and SameSite + Secure - ExpressJS
Solution 1
Documentation Link: https://www.npmjs.com/package/express-session#cookiesamesite
The below code will solve your issue. This is also recommended going forward.
const express = require('express');
const session = require('express-session');
const app = express();
const sessionConfig = {
secret: 'MYSECRET',
name: 'appName',
resave: false,
saveUninitialized: false,
store: store,
cookie : {
sameSite: 'strict', // THIS is the config you are looing for.
}
};
if (process.env.NODE_ENV === 'production') {
app.set('trust proxy', 1); // trust first proxy
sessionConfig.cookie.secure = true; // serve secure cookies
}
app.use(session(sessionConfig));
In your case, set sameSite
to 'none'
In case you are wondering what is store
? I am using my database as storage for all the cookies. It's not relevant to the question asked by OP. Just added as pointed by @klevis in the comment. Here's the code:
const KnexSessionStore = require('connect-session-knex')(session);
const store = new KnexSessionStore({
tablename: 'session',
knex: kx,
createtable: false
});
- Edit 1: Fixed issue pointed out by CaptainAdmin
- Edit 2: Added store definition.
Solution 2
You can set these options without using any node package.. With Express Only Like this:
app.get('/', (req,res)=>{
//.....Other Code
res.cookie('cookieName', 'cookieValue', { sameSite: 'none', secure: true})
//.....Other Code
})
Solution 3
As far I kwon, this is a warning about new implementation for chrome in the future
samesite option on cookies: Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax with the additional behavior that they will still be included in POST requests to ease the transition for existing sites.
Any further information: https://www.chromium.org/updates/same-site
If you desire to test your web page, this article explains how to set Chrome flags for testing. If your page stops working you have to check all request and see for "http://" to "https://" updates or check third-party cookies
Eric E
Electronics / Programming Student. Experience with Embedded Systems / Software and Electronics.
Updated on July 09, 2022Comments
-
Eric E almost 2 years
The following warning is being shown in the console, even though I have the following settings on my express application. Has anyone seen this error before? My search brought me to https://github.com/expressjs/express/issues/3095
I am also using express : 4.17.1
let COOKIE_OPTIONS = { httpOnly: true, sameSite: 'None', secure: true };
A cookie associated with a cross-site resource at http://MYURL.URL was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
When doing a request using Insomia (Postman) I see the following
access_token=someToken; Path=/; HttpOnly; Secure; SameSite=None
-
CaptainZero over 4 yearsThere is no property like sameSite for session config, it's for cookie
-
Adarsh Madrecha over 2 years@CaptainZero have fixed the same. Thanks for pointing out.