Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

unable to use secure cookies

See original GitHub issue

I am trying to set secure cookies, it does not work at first try.

I am using

 secret: sessionSecret,
      resave: false,
      saveUninitialized: true,
      cookie: {
        secure: true,
        httpOnly: true,
        domain: 'beintoo.net',
        expires: expiryDate
      }

I found function issecure relying on req.connection.encrypted here but it seems not supported anymore, see https://github.com/expressjs/express/issues/1864

Any hint?

Issue Analytics

State:
Created 8 years ago
Reactions:1
Comments:22 (10 by maintainers)

Top GitHub Comments

103reactions

dougwilsoncommented, Mar 2, 2016

Ah, should be able to get proxy_set_header X-Forwarded-Proto https; added in there and it should be good to go?

48reactions

ghostcommented, Oct 28, 2016

I had some trouble with this as well. By turning on cookie: { secure: true }, proxy: true, app.set('trust proxy', true), and proxy_set_header X-Forwarded-Proto $scheme; in the nginx proxy, I’ve gotten HTTPS cookies to work.

Here’s a snip of my app:

app.set('trust proxy', true)
app.use(session({
    store: new RedisStore({
        pass: 'aaa',
    }),
    secret: 'aaa',
    proxy: true,
    resave: false,
    saveUninitialized: true,
    cookie: { secure: true }
    }))

And my nginx configuration:

# Snip of nginx proxy configuration

proxy_redirect off;
    proxy_http_version 1.1;
    proxy_pass http://127.0.0.1:port;
    proxy_set_header Host $host; 
    proxy_set_header X-Real-IP $remote_addr; 
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;