skip to Main Content

We are creating a backend for a Twitter view app in Nodejs (Express).

I’m thinking of using Twitter Api for login and storing the token returned after authentication to the session and then restoring the session from the cookie when it is accessed again.

However, the cookie is blocked when it is accessed again and I can’t restore the session information.

The browser I use is chrome, but since chrome version 80, SameSite attribute seems to be Lax (sends a cookie when called from the site of the same domain) when the SameSite attribute is not specified, and in this case, front and back end are different domains, so cookies are blocked.

So I am trying to set the SameSite attribute to None (sends a cookie when called by any site), but I can’t seem to set it well and asked this question.

I’m wondering if I can set the SameSite attribute to None if I make a difference in the part of app.use(session({})), but…

If anyone knows of a solution, I would appreciate your help.

Thank you for your help.

The corresponding source code

callback_url = env.URL + "oauth/callback";

app.use(
    cookieSession({
      name: "session",
      keys: ["thisappisawesome"],
      maxAge: 24 * 60 * 60 * 100
    })
);

app.use(cookieParser());

// Save to session
passport.serializeUser(function(user, done) {
    done(null, user.id);
});

// Restore from Session
passport.deserializeUser(function(user, done) {
    done(null, user);
});

passport.use(
    new TwitterStrategy({
        consumerKey: env.TWITTER_CONSUMER_KEY,
        consumerSecret: env.TWITTER_CONSUMER_SECRET,
        callbackURL: callback_url
    },
    async (token, tokenSecret, profile, done) => {

        return done(null, profile);
    }
));

app.use(session({
    allowedHeaders: ['sessionId', 'Content-Type'],
    exposedHeaders: ['sessionId'],
    secret: 'reply-analyzer',
    resave: false,
    saveUninitialized: false
}));

var cors_set = {
    origin: env.CORS_ORIGIN_URL,
    methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
    credentials: true // allow session cookie from browser to pass through
};

app.use(passport.initialize());
app.use(passport.session());
app.use(cors(cors_set));

What I’ve tried.

1.I tried setting the cookie options in the app.use(session({})) part, but it was not possible to set the SameSite attribute to None.

app.use(session({
    allowedHeaders: ['sessionId', 'Content-Type'],
    exposedHeaders: ['sessionId'],
    secret: 'reply-analyzer',
    resave: false,
    saveUninitialized: false,
    cookie : {
        secure: true,
        sameSite: 'None'
      }
}));

2.I tried using the following middleware (express-samesite-default), but the SameSite attribute can be set to None, and the It wasn’t.

var sameSiteCookieMiddleware = require("express-samesite-default");

app.use(sameSiteCookieMiddleware.sameSiteCookieMiddleware());

Additional information

Node.js v12.18.2
chrome v84.0.4147.135

3

Answers


  1. Chosen as BEST ANSWER

    I was able to self-resolve and will describe how I was able to solve the problem. In the code there are two sessions and a cookie session, but I decided to use the cookie session as it seems to work fine. The end result is the following

    var cookieSession = require("cookie-session");
    app.set('trust proxy', 1)
    app.use(
        cookieSession({
          name: "__session",
          keys: ["key1"],
            maxAge: 24 * 60 * 60 * 100,
            secure: true,
            httpOnly: true,
            sameSite: 'none'
        })
    );
    

  2. try SameSite: 'none' with capital S it worked for me but i used express-session with cookie-parser… i think your code not working because of small s, when i change my to sameSite it’s not working for me too, but SameSite works just as expected

    also i use npm i cors

    here is my piece of code

    app.use(session({
        key: 'session_cookie_user_auth',
        secret: 'mooncore',
        store: sessionStore,
        resave: false,
        saveUninitialized: false,
        cookie: {
            SameSite: 'none',
            maxAge: 1000 * 60 * 60 * 60
        }
    }));
    
    Login or Signup to reply.
  3. Hey I just used like this. And it worked. I’m using localhost for both frontend and express backend.

            res.cookie('token', token, {
                expires: new Date(Date.now() + (3600 * 1000 * 24 * 180 * 1)),
                httpOnly: true,
                sameSite: "none",
                secure: "false",
            });
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search