session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon expressjs

Express session module not saving session cookie in cross site application

Open TheInvoker opened this issue 3 years ago • 0 comments

I am running a node.js app on http://localhost:3002 and a client side app on http://localhost:5173 (hosted with vite tooling)

I am trying to send cookies from the server to the client to authenticate users using express-session, but every request that comes in keeps generating as a new session. The cookies are not sending properly.

Node.js code

    this.#app.use(cookieParser());

    this.#app.use(cors({
        origin: WEB_CLIENT_URL,
        credentials: true,
        methods:'GET, POST',
        allowedHeaders:'Origin, X-Requested-With, Content-Type, Accept, authorization'
    }));
    
    var sess = {
        secret: 'keyboard cat',
        saveUninitialized: false,
        resave: false,
        cookie: {
            secret: 'yourSecret',
            secure: process.env.NODE_ENV === 'production',
            httpOnly: process.env.NODE_ENV === 'production',
            sameSite: "none" as "none",
            maxAge: 24 * 60 * 60 * 1000,  // 24 hours
            domain: undefined//'localhost:3002'
        },
    }
    if (process.env.NODE_ENV === 'production') {
        this.#app.set('trust proxy', 1) // trust first proxy
    }
    this.#app.use(session(sess));

    this.#app.use(async (req, res, next)=> {

        // Website you wish to allow to connect
        res.setHeader('Access-Control-Allow-Origin', req.headers.origin ?? "");

        // Request methods you wish to allow
        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE');
        // Request headers you wish to allow
        res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization');
        // Set to true if you need the website to include cookies in the requests sent
        // to the API (e.g. in case you use sessions)
        res.setHeader('Access-Control-Allow-Credentials', 'true');

        const session = req.session as Session;
        console.log(req.session.id, req.method, req.originalUrl);
        if (!session.user) {
            const access = await TokenCollection.CreateAccessToken();
            session.user = access.token;
            req.session.save((err) => {
                if (err) {
                    next(Utils.GetError('Error creating session', 500));
                } else {
                    next();
                }
            }); 
        } else {
            console.log("FOUND USER");
            next();
        } 
    });

and client side

response = await fetch("http://localhost:3002/api/user", {
    method: "POST",
    body: JSON.stringify(profile_form_data),
    headers: {
        'authorization': `Bearer ${access.token}`,
        'content-type': 'application/json'
    },
    credentials: 'include'
});

BTW im running in dev mode so process.env.NODE_ENV === 'production' will be false.

Does anyone know what's wrong?

TheInvoker avatar Sep 11 '22 01:09 TheInvoker