Option to not send cookies on certain HTTP method request (e.g. OPTIONS) #323

tixelated opened this Issue Jul 16, 2011 · 5 comments


None yet

6 participants


Hello -

I've recently noticed that certain (all?) browsers do not send cookies with OPTIONS requests, but session (understandably) sends a cookie response with a new session ID in response to these. (OPTIONS requests are used to probe CORS access control headers prior to sending AJAX requests.)

My specific scenario is the following:

  1. request http://m.tixelated.com 1a. Receive cookie with new session ID
  2. AJAX OPTIONS request to http://api.tixelated.com to probe for CORS headers (this is automatically generated by the browser) 2a. Browser does not send cookie 2b. Session responds with Set-Cookie header and NEW session ID
  3. Subsequent requests to http://api.tixelated.com use different session ID

I've confirmed that GET requests to various subdomains work correctly with my setup.

Proposed solution: an option to allow disabling sessions/cookie responses for certain HTTP requests, in this case OPTIONS (there may be other use cases. If not, a simple boolean for that method would suffice.)

(Or - maybe I'm doing something boneheaded.)

Sencha Labs member
tj commented Jul 18, 2011

yeah no easily solution here. IMO it would be really dirty to come up with some ad hoc way to do this, the cleanest most versatile thing I can think of is adding some kind of method like req.session.ignore() or abort() maybe im not sure, and when that is called it wont commit the session, that way you can apply any logic you want in middleware. I haven't looked into it but if that is the case then we should add some baked in middleware to support a fix for this in Express


you'll have to just wrap the middleware in a conditional.

function (req, res, next) {
  if (true)
    express.session({})(req, res, next);


I know this is an old thread, but, were you guys able to find a fix for the above mentioned use case ? I am facing the exact issue and I am not finding any help anywhere.

Any kind of lead will be great. Thanks in advance.


I second azherf - is there a proper way to do this yet?


The current version of connect has no session code or anything for us to change to address any problem with it. I assume you are using a discontinued version of connect, which is not a supported line.

@dougwilson dougwilson locked and limited conversation to collaborators Nov 19, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.