Cookie not set in response when setting secure:true #71

Closed
MWerk opened this Issue Dec 14, 2016 · 2 comments

Comments

Projects
None yet
3 participants
@MWerk

MWerk commented Dec 14, 2016

Hello,

When running the following app.js:

var cookieSession = require('cookie-session')
var helmet = require('helmet');
var express = require('express')

var app = express()

app.use(helmet());
var oneYearInSeconds = 31536000;
app.use(helmet.hsts({
  maxAge: oneYearInSeconds,
  includeSubDomains: true,
  force: true
}));

var expiryDate = Date.now() + 60 * 60 * 1000;
app.use(cookieSession({
  name: 'session',
  secret: '10dfaf09-cf6f-43a9-b40b-4eaacbcceb8a',
  maxAge: expiryDate,
  secure : true
  // secureProxy: true, // Deprecated when using 2.0.0-alpha. Says to use secure option but that stops passing on cookies. When set to true, the cookie is set to Secure. If commented out, cookie not set to Secure
}))

app.get('/', function (req, res, next) {
  // Update something in the session, needed for a cookie to appear
  req.session.views = (req.session.views || 0) + 1

  // Write response
  res.end(req.session.views + ' views')
})

app.listen(3000)

When I now curl it:
vagrant$ curl -c - -v http://localhost:3000/
Connected to localhost (127.0.0.1) port 3000 (#0)

GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: localhost:3000
Accept: /

< HTTP/1.1 200 OK
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-XSS-Protection: 1; mode=block
< Surrogate-Control: no-store
< Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536; includeSubDomains
< Date: Tue, 13 Dec 2016 11:27:37 GMT
< Connection: keep-alive
< Content-Length: 7
<
Connection #0 to host localhost left intact

You see no cookies are added nor set. When I comment out secure:true and set secureProxy : true, then a cookie is returned, you'll see something like:

#HttpOnly_localhost FALSE / TRUE 2961374488 session eyJ2aWV3cyI6MX0=
#HttpOnly_localhost FALSE / TRUE 2961374488 session.sig DJaPtrG-tmTnVr33fOWXqWGnVlw

See also my comment at the end of the secureProxy field.

Versions used:
node js: 6.7.0
express: 4.13.30
cookie-session: 1.2.0
helmet: 0.14.0

Am I doing something wrong? Or maybe it's helmet being in the way in some form? Update: nope, when commenting out the helmet parts, same behavior.

@nickve28

This comment has been minimized.

Show comment
Hide comment
@nickve28

nickve28 Feb 2, 2017

We're having the same problem. Did you find anything regarding this matter by any chance @MWerk ?

nickve28 commented Feb 2, 2017

We're having the same problem. Did you find anything regarding this matter by any chance @MWerk ?

@dougwilson dougwilson self-assigned this Feb 6, 2017

@dougwilson

This comment has been minimized.

Show comment
Hide comment
@dougwilson

dougwilson Feb 6, 2017

Member

I need to expand the documentation directly in this module, but you can read more in the documentation in the underlying library that is setting the cookies: https://github.com/pillarjs/cookies#secure-cookies

The answer is that when you set secure: true, this module won't even produce a Set-Cookie response header if your connection to Node.js is not over TLS (which in @MWerk example, it is not over TLS).

If you are using Express, as @MWerk is, and you are terminating TLS somewhere above the Express Node.js instance, then you'll want to setup the trust proxy setting in Express such that it signals to the module that the connection is indeed over a TLS connection.

Member

dougwilson commented Feb 6, 2017

I need to expand the documentation directly in this module, but you can read more in the documentation in the underlying library that is setting the cookies: https://github.com/pillarjs/cookies#secure-cookies

The answer is that when you set secure: true, this module won't even produce a Set-Cookie response header if your connection to Node.js is not over TLS (which in @MWerk example, it is not over TLS).

If you are using Express, as @MWerk is, and you are terminating TLS somewhere above the Express Node.js instance, then you'll want to setup the trust proxy setting in Express such that it signals to the module that the connection is indeed over a TLS connection.

dougwilson added a commit that referenced this issue Feb 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment