skip to Main Content

I have particular knowledge of how does Set-Cookie header works or setting a session value in ExpressJS but for some reason I’ve stuck with this issue.

The issue is Set-Cookie header that was sent by the response header doesn’t actually do anything in the browser but when I tried to test it using postman it works as expected, the session cookie was populated.

The app have two parts, the backend and frontend and uses nginx for communicating the two services.

router.post(
  `/api/users/signup`,
   
   // ...more codes

   req.session.jwt = userJwt;

   console.log(req.session);

   res.status(201).send(user);
  }
);

I use cookie-session package for the expression session and I have the configured it below.

app.set('trust proxy', true);
app.use(json());
app.use(
  cookieSession({
    signed: false,
    secure: process.env.NODE_ENV !== 'test',
    sameSite: 'none',
  })
);
app.use(function (req, res, next) {
  res.header(
    'Access-Control-Allow-Methods',
    'GET,PUT,POST,DELETE,UPDATE,OPTIONS'
  );
  res.header(
    'Access-Control-Allow-Headers',
    'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept, Set-Cookie'
  );
  next();
});

I’m wondering why the header is not set after a request is made but on the other hand request made through postman successfully populated the said session.

cookie populated in postman

Hopefully someone can help.

2

Answers


  1. Chosen as BEST ANSWER

    I figured out what causes this issue. I've setup a local custom domain for my app running on a nginx reverse proxy. The domain extension was .test but it does not work well with cookie secure flag to true, on the other hand .dev works perfectly.

    | Domain name | Cookie secure | Working |
    | --------    | --------------| --------|
    | myapp.test  | true          |   no    |
    | myapp.test  | false         |   yes   |
    | myapp.dev   | true          |   yes   |
    

  2. what are you using to make the request? I had several issues with axios and cookies and ended up using fetch.

    try including the option {credentials: include} on the

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search