1. 技术文章
  2. Express session-cookie not being sent on openshift with https and secure flag

Express session-cookie not being sent on openshift with https and secure flag

て烟熏妆下的殇ゞ 提交于 2019-12-13 04:32:30

问题


Got a strange issue, I am using Express and in development we use http and have secure: false for the session cookie, however now we are moving to openshift we have turned https on thinking it would be a simple endeavour but our cookies are not being sent back with the responses. If however we turn off https and revert back to http on openshift it works fine and cookies are sent.

So here is an example of what the cookie config looks like:

var setupSession = function() {
    var sessionConfig = {
        secret: environmentVars.cookie.secret,
        name: environmentVars.cookie.name,
        maxAge: environmentVars.cookie.expiry,
        domain: environmentVars.cookie.domain,
        httpOnly: true,
        secure: environmentVars.cookie.secure, // true when using https
        secureProxy: environmentVars.cookie.secure, // true when using https
        signed: true
    };
    app.set('trust proxy', 1); // Just added this, still no luck
    app.use(session(sessionConfig));
};

So the above is run when the app starts up and as noted in the comments when we are using a secure connection the environment vars are set for us, and when the above is used in conjunction with HTTPS no cookie is sent back from express, however openshift cookies are sent back, like the gears one etc. Again with http and disabling the secure stuff it works fine we all get cookies and rejoice. All responses work and data is sent back its just the set-cookie header is missing for the apps cookies (but as mentioned not openshift ones).

So the actual certificate is not setup within nodejs it is setup on openshift as an alias with a certificate applied. So express really has no idea it is being run in https other than the environmental vars it is passed and the port it is provided by the gear that is running it.

So has anyone else had anything similar or has any ideas on what we can try to solve the problem or diagnose it? I did some reading and people suggested trying the trust proxy and secureProxy, which has been done but still no luck.


回答1:


So it turns out I was just being an idiot, it should look like:

var setupSession = function() {
    var sessionConfig = {
        secret: environmentVars.cookie.secret,
        name: environmentVars.cookie.name,
        maxAge: environmentVars.cookie.expiry,
        domain: environmentVars.cookie.domain,
        httpOnly: true,            
        secureProxy: environmentVars.cookie.secure, // true when using https
        signed: true,
        cookie: {
            secure: environmentVars.cookie.secure, // true when using https
        }
    };
    app.set('trust proxy', 1); // Just added this, still no luck
    app.use(session(sessionConfig));
};

All works now :)




回答2:


I had similar problem with express-session and after many trials the culprit for me was setting cookie.domain. Browsers wouldn't save the cookie.

This is how I was setting the value:

cookie: { 
  ...
  domain: process.env.OPENSHIFT_CLOUD_DOMAIN,
  ...
}

Hope it helps anyone going through the same, since at the time this is the best suited stackoverflow question to share this.



来源:https://stackoverflow.com/questions/30981645/express-session-cookie-not-being-sent-on-openshift-with-https-and-secure-flag

标签
node.js
cookies
https
openshift
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!