Node, express.session as middleware does not set cookie

this question is related to NodeJS + Express - Apply session middleware to some routes which I first thought would solve my problem. But it did not.

I'm trying to build a site where the first default-page show the user info about the site needing to use cookies and gives him the possibility to accept this. Therefore I do not want the server to send a set-cookie header until after the user has given their acceptance.

As in the solution to the question above I now try and insert the session as a middleware only to the routes that should have it. The problem is that doing so I never get any set-cookie header from the server. Checked this with Fiddler.

My code looks like this (only the relevant parts):

var express = require('express');
var app = express();
var session      = require('express-session');
var mongoose = require('mongoose');
var configDB = require('./config/database.js');
var mongoStore = require('connect-mongo')(session);

mongoose.connect(configDB.url);

var mongoSessionStore = new mongoStore({
    mongoose_connection: mongoose.connections[0]
});

.
.
.

var sessionMiddleware = session({
    secret: 'secret',
    store: mongoSessionStore,
    key:    'express.sessionID',
    cookie: {domain: 'the-domain', path: '/', httpOnly: true, secure: false, maxAge: null },
    saveUninitialized: false,
    resave: false   
});

require('./app/routes.js')(app, passport, sessionMiddleware);

And the routes looks like this, in seperate file:

module.exports = function(app, passport, sessionMiddleware) {

    app.get('/', loginIsLoggedIn, function(req, res) {
        res.render('cookie.ejs');
    });


    app.post('/', function(req, res) {
        if(req.body.cookieAnswer == "Accept"){
            res.redirect('/login');
        } else {
            res.render('cookie.ejs', {cookieMsg: req.body.cookieAnswer});
        }
    });

    app.get('/login', sessionMiddleware, loginIsLoggedIn, function(req, res) {
        res.render('login.ejs', {successMsg: res.locals.success_message, errorMsg: res.locals.error_message});
    });


    app.post('/login', sessionMiddleware, passport.authenticate('local-login', {
        successRedirect : '/auth',
        failureRedirect : '/login',
        failureFlash : true // allow flash messages
    }));

I hoped that when the sessionmiddleware is called the first time, when processing get 'login.ejs', that it would generate the set-cookie header in the response but there is something I'm missing here.

If I set up middleware like this:

app.use(session({
    secret: 'secret',
    store: mongoSessionStore,
    key:    'express.sessionID',
    cookie: {domain: 'the-domain', path: '/', httpOnly: true, secure: false, maxAge: null },
    saveUninitialized: false,
    resave: false   
}));

The set-cookie header is sent directly when entering the site, but I don't want that.

Appreciate any help!

Having somewhat of a similar issue - did you have different behavior between localhost and remote server?

Hi, I cannot remember exactly any longer but I did have some problem with cookies when running on localhost. Not sure if it was related to this though. I think in Chrome there is a known problem/behaviour with cookies and localhost. Google "cookies localhost" and you will find info about that.

If running on localhost then access instead through your host's IP address and the cookie should be set.