Hello guys,
I have a web application that runs on localhost serving data through the port :30 to an also local web interface accessed via IP. Then, i set up a ngrok tunnel to redirect the server data through ssh to an online address accessed via an online web interface.
the 2 interfaces are identical, the only difference is that if the user is outside the network, then he can access the system through the online interface. I need this to work that way, cause i can not be 100% dependant on internet connection for my app to work, so if the user doesn't have internet but are in the local network, he can access the local address.
This is working fine for a couple of years, but since some time I started to experience in iOS, where after the login, the page returned to the login page, as the session was not started. It only works fine on Opera for iOS. In Android and Windows it works well in any navigator, but now Google Chrome started to show this message for the online interface:
A cookie associated with a cross-site resource at http://***.ngrok.io/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Currently my session setting is this:
exapp.use(session({
name: 'session-name',
secret: 'session-secret',
resave: false,
saveUninitialized: false,
rolling: true,
cookie: {
secure: false,
httpOnly: false
}
}));
I can solve the problem by setting it like this:
exapp.set('trust proxy', 1);
exapp.use(session({
name: 'session-name',
secret: 'session-secret',
resave: false,
saveUninitialized: false,
rolling: true,
cookie: {
sameSite: 'none',
secure: true,
httpOnly: false
}
}));
But then i fall in another problem: the local interface. It doesn't work anymore because the local address is not HTTPS and even if i install a certificate i need to trust this in every navigator that will use the app.
My question is: Is there a way to use 2 types of settings for the express session? One for the remote interface which will be secure and cross-domain, and another for the local interface which will be on the same domain and insecure. If not, then a alternative suggestion will be welcome.
Thanks.
Hello guys,
I have a web application that runs on localhost serving data through the port :30 to an also local web interface accessed via IP. Then, i set up a ngrok tunnel to redirect the server data through ssh to an online address accessed via an online web interface.
the 2 interfaces are identical, the only difference is that if the user is outside the network, then he can access the system through the online interface. I need this to work that way, cause i can not be 100% dependant on internet connection for my app to work, so if the user doesn't have internet but are in the local network, he can access the local address.
This is working fine for a couple of years, but since some time I started to experience in iOS, where after the login, the page returned to the login page, as the session was not started. It only works fine on Opera for iOS. In Android and Windows it works well in any navigator, but now Google Chrome started to show this message for the online interface:
Currently my session setting is this:
I can solve the problem by setting it like this:
But then i fall in another problem: the local interface. It doesn't work anymore because the local address is not HTTPS and even if i install a certificate i need to trust this in every navigator that will use the app.
My question is: Is there a way to use 2 types of settings for the express session? One for the remote interface which will be secure and cross-domain, and another for the local interface which will be on the same domain and insecure. If not, then a alternative suggestion will be welcome.
Thanks.