express-session secure: true

Question

app.use(session({
    secret: "testing credentials",
    store: sessionStore,
    resave: true,
    saveUninitialized: true,
    cookie  : {
        httpOnly: true,
        //secure: true,
        maxAge  : 60 * 60 * 1000 
    }
}));

I'm working on some security problems on my newly developed website. And after done some research online, if secure=true is set, then it will be more secure. However, If set secure: true, then information inside session will lose every time when the user send another request. Is there a way to solve this problem? If doesn't include "secure: true" in the cookie: , then the session will last for that maxAge.

Answer 1

If a cookie is set with the secure flag, it will only be sent to the server by the browser over https, and not plain http. This should be the default for production environments.

However, when developing an app, you probably use plain http on your dev machine. If you set your session cookie as secure in this case (using plain http), the server will never receive it, and you will experience a new empty session on each request.

So in short, you should only set the cookie as secure if you are using https (that is, in later stages of your development pipeline, and definitely in production).

On another note, if you set maxAge, the cookie will be persisted, which is not the best practice for session cookies. Without maxAge, the cookie will be kept until the user closes the browser and not normally persisted to disk, which is the correct behaviour for session cookies.