Node, express.session as middleware does not set cookie
I found the answer in the documentation of .use.
I could not use the solution given to question NodeJS + Express - Apply session middleware to some routes since the ordering of my middlewares got messed up then.
So what I needed to do was point out which routes should use the middlewares when declaring the app.use(... In may case I wanted the middleware for session to act on all routes except the '/' so my new declaration of the middleware looks like this:
var routesArray = ['/login', '/auth', '/signup', '/email', '/chPassW', '/logout', '/snapshot'];
app.use(routesArray, session({
secret: 'secret',
store: mongoSessionStore,
key: 'express.sessionID',
cookie: {domain: 'the-domain', path: '/', httpOnly: true, secure: false, maxAge: null },
saveUninitialized: false,
resave: false
}));
northmoose
Updated on August 02, 2022Comments
-
northmoose over 1 year
this question is related to NodeJS + Express - Apply session middleware to some routes which I first thought would solve my problem. But it did not.
I'm trying to build a site where the first default-page show the user info about the site needing to use cookies and gives him the possibility to accept this. Therefore I do not want the server to send a set-cookie header until after the user has given their acceptance.
As in the solution to the question above I now try and insert the session as a middleware only to the routes that should have it. The problem is that doing so I never get any set-cookie header from the server. Checked this with Fiddler.
My code looks like this (only the relevant parts):
var express = require('express'); var app = express(); var session = require('express-session'); var mongoose = require('mongoose'); var configDB = require('./config/database.js'); var mongoStore = require('connect-mongo')(session); mongoose.connect(configDB.url); var mongoSessionStore = new mongoStore({ mongoose_connection: mongoose.connections[0] }); . . . var sessionMiddleware = session({ secret: 'secret', store: mongoSessionStore, key: 'express.sessionID', cookie: {domain: 'the-domain', path: '/', httpOnly: true, secure: false, maxAge: null }, saveUninitialized: false, resave: false }); require('./app/routes.js')(app, passport, sessionMiddleware);
And the routes looks like this, in seperate file:
module.exports = function(app, passport, sessionMiddleware) { app.get('/', loginIsLoggedIn, function(req, res) { res.render('cookie.ejs'); }); app.post('/', function(req, res) { if(req.body.cookieAnswer == "Accept"){ res.redirect('/login'); } else { res.render('cookie.ejs', {cookieMsg: req.body.cookieAnswer}); } }); app.get('/login', sessionMiddleware, loginIsLoggedIn, function(req, res) { res.render('login.ejs', {successMsg: res.locals.success_message, errorMsg: res.locals.error_message}); }); app.post('/login', sessionMiddleware, passport.authenticate('local-login', { successRedirect : '/auth', failureRedirect : '/login', failureFlash : true // allow flash messages }));
I hoped that when the sessionmiddleware is called the first time, when processing get 'login.ejs', that it would generate the set-cookie header in the response but there is something I'm missing here.
If I set up middleware like this:
app.use(session({ secret: 'secret', store: mongoSessionStore, key: 'express.sessionID', cookie: {domain: 'the-domain', path: '/', httpOnly: true, secure: false, maxAge: null }, saveUninitialized: false, resave: false }));
The set-cookie header is sent directly when entering the site, but I don't want that.
Appreciate any help!
-
oriharel almost 8 yearsHaving somewhat of a similar issue - did you have different behavior between localhost and remote server?
-
northmoose almost 8 yearsHi, I cannot remember exactly any longer but I did have some problem with cookies when running on localhost. Not sure if it was related to this though. I think in Chrome there is a known problem/behaviour with cookies and localhost. Google "cookies localhost" and you will find info about that.
-
Moika Turns about 5 yearsIf running on localhost then access instead through your host's IP address and the cookie should be set.