Secure cookie behind a proxy server

[condrove10]

Hi, I'm currently setting up the login sessions for my website, but I'm a bit confused about the flags of the cookie because I'm using a reverse proxy coded by me which acts both as a reverse proxy and a subdomain handler. I'm most concerned about the flags : ["secure", "domain", "same-site"].

Because I don't know HOW and IF the reverse proxy will change the behavior of the cookie and if any header change is needed.

Currently, the secure flag is true, but as the documentation says, the webserver requires an HTTPS connection. The main problem here is that I use HTTP to host the individual instances for every subdomain. The HTTPS covers only the browser-to-(reverse proxy server) connection.

SO, I'd like to know if this coverage can be extended to the single instance or if the header should be modified.

Hope I can receive some clearance and details about this mess.

[alvarofblanco]

You just need to tell express to trust the proxy
As the documentation says:

Please note that secure: true is a recommended option. However, it requires an https-enabled website, i.e., HTTPS is necessary for secure cookies. If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express:

var app = express()
var sess = {
  secret: 'keyboard cat',
  cookie: {}
}

if (app.get('env') === 'production') {
  app.set('trust proxy', 1) // trust first proxy
  sess.cookie.secure = true // serve secure cookies
}

app.use(session(sess))