Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Node.js express-session what does the proxy option do?

Tags:

node.js

express

proxy

session-variables

session

app.use(session(
  {
    ...
    proxy: true,
    resave: true,
    saveUninitialized: true
  }
));

I found a tutorial on express-session and they have an proxy: true option. Can I leave it on true? What does this do? Is it better to include it? I know what a proxy is however I don't really get why this is an option?

like image 579
user3806549 Avatar asked Nov 29 '22 07:11

user3806549

1 Answers

The fine manual states:

Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).

This refers to situations where clients don't connect directly to your Node server, but through a reverse proxy. For instance, clients connect to an NGINX webserver, which forwards the requests to a Node server; NGINX, in this situation, is the reverse proxy.

In reverse proxy setups, it's also quite common that the client communicates with the reverse proxy over HTTPS, yet the proxy communicates with the Node server using plain HTTP.

This is an issue when you configure the session middleware to use so-called "secure cookies" (documented here). The session middleware won't allow these cookies being sent over plain HTTP but requires that they are sent over HTTPS. If your reverse proxy communicates with your Node server over HTTP, this would mean you won't be able to use secure cookies.

To solve this problem, the reverse proxy will set the X-Forwarded-Proto header to every request it forwards. It tells the Node server what the original protocol of the request was, regardless of the way the reverse proxy connects to the Node server.

With the proxy option of the session middleware, you're telling it to trust this header and allow secure cookies being sent over plain HTTP, provided that X-Forwarded-Proto is set to https.

If you are exposing your Node server directly (so clients connect to it), you should set this option to false, because otherwise, a client can fool your server (by sending a X-Forwarded-Proto header itself) into thinking that the connection was secure. However, if you're not using secure cookies anyway, it won't really matter.

like image 139
robertklep Avatar answered Dec 04 '22 23:12

robertklep
Sign in to Comment

Related questions

Node JS - Passing Javascript object by reference to other files
Import functions from module to global namespace in Coffeescript?
Access the list of valid values for an Enum field in a Mongoose.js Schema
Node.js: Determine file size on modification
Node.js EXDEV rename error
Auth failed error when specifying database
findAndModify or findOneAndUpdate - "is not a function"
Migration from Angular 6 to Angular 7 cause error - Can't resolve 'core-js/es7/reflect'
process.env.API_URL is undefined
why am i getting ~ no response on stdout ~ in hacker rank nodejs
Guild Member Add does not work (discordjs) [duplicate]
javascript RegExp: how to match multiline and closetag
In Express.js, how do I make my template display the flash messages?
How to combine two Node.js App server together.
Finding intersection of two arrays in Node.js [duplicate]
What are Mocha equal tests?
Etag header not returned from jQuery.ajax() cross-origin XHR
Get image dimensions from url path
Node.JS Accurate Timer
Express change session every request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!