Menu
The following warning is being shown in the console, even though I have the following settings on my express application. Has anyone seen this error before? My search brought me to https://github.com/expressjs/express/issues/3095
I am also using express : 4.17.1
let COOKIE_OPTIONS = { httpOnly: true, sameSite: 'None', secure: true };
A cookie associated with a cross-site resource at http://MYURL.URL was set
without the `SameSite` attribute. A future release of Chrome will only deliver
cookies with cross-site requests if they are set with `SameSite=None` and
`Secure`. You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
When doing a request using Insomia (Postman) I see the following
access_token=someToken;
Path=/;
HttpOnly;
Secure;
SameSite=None
301
Standards related to the Cookie SameSite attribute recently changed such that: The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests. Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).
samesite option on cookies: Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax with the additional behavior that they will still be included in POST requests to ease the transition for existing sites.
The browser sends the cookie only for same-site requests (that is, requests originating from the same site that set the cookie). If the request originated from a different URL than the current one, no cookies with the SameSite=Strict attribute are sent.
The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
Documentation Link: https://www.npmjs.com/package/express-session#cookiesamesite
The below code will solve your issue. This is also recommended going forward.
const express = require('express');
const session = require('express-session');
const app = express();
const sessionConfig = {
secret: 'MYSECRET',
name: 'appName',
resave: false,
saveUninitialized: false,
store: store,
cookie : {
sameSite: 'strict', // THIS is the config you are looing for.
}
};
if (process.env.NODE_ENV === 'production') {
app.set('trust proxy', 1); // trust first proxy
sessionConfig.cookie.secure = true; // serve secure cookies
}
app.use(session(sessionConfig));
In your case, set sameSite to 'none'
In case you are wondering what is store? I am using my database as storage for all the cookies. It's not relevant to the question asked by OP. Just added as pointed by @klevis in the comment. Here's the code:
const KnexSessionStore = require('connect-session-knex')(session);
const store = new KnexSessionStore({
tablename: 'session',
knex: kx,
createtable: false
});
You can set these options without using any node package.. With Express Only Like this:
app.get('/', (req,res)=>{
//.....Other Code
res.cookie('cookieName', 'cookieValue', { sameSite: 'none', secure: true})
//.....Other Code
})
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
