Where is the express-session cookie hidden?

Question

My express-session is working, I tested it with a very short cookie max-age (10 secs) and it works as intended:

app.use(session({
  secret: 'xxx',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true, maxAge: 10000 }
}));

The strange thing is, that I can't find the cookie anywhere in my Chrome Developer Tools. Where is the cookie set by express-session hidden?

update #2: See my own answer if you want to know where to see the cookie if you are sending an ajax request to an express server on another domain.

update - the session management on my express server:

app.post('/verify', function(req, res){
    let out = [];

    if(!req.session.userId){

        if(typeof req.body.token !== 'undefined'){
            admin.auth().verifyIdToken(req.body.token)
            .then(function(decodedToken) {
              let uid = decodedToken.uid;

              if(!req.session.userId){
                  req.session.userId = uid;
              }

              res.send(uid);
              // ...
            }).catch(function(error) {
              // Handle error
              res.send(error);
            });
        }else{
            res.send('no token received');
        }
    }else{
        res.send('already logged in by session with uid: ' + req.session.userId + ' | session id: ' + req.session.id);
    }
});

and that's how the server is "started":

app.listen(port, function () {
  console.log('Example app listening on port ' + port + '!');
});

the problem is that the session(s) work, but I am not able to see the cookie(s):

Answer 1

TL;DR

You can find the Cookie in the Chrome DevTools under:
Application > Storage > Cookies > URL of the express Server

Where to start

To show that the cookies of express are stored correctly, I've start with a simple test server. Note that you used cookie.secure = true in your question, which requires a https connection to the server. Otherwise, the cookie will be dropped immediately by the browsers. So let's use this simple one:

let fs = require('fs');

let privateKey  = fs.readFileSync('../../../apache/conf/ssl.key/server.key', 'utf8');
let certificate = fs.readFileSync('../../../apache/conf/ssl.crt/server.crt', 'utf8');
let credentials = {key: privateKey, cert: certificate};

let https = require('https');
let app = require('express')();
let session = require('express-session');

app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: {secure: true, maxAge: 10000}
}));

app.all('*', function(req, res) {
    res.status(200);
    res.setHeader('Content-Type', 'text/html');

    if (!req.session.views) {
        req.session.views = 0;
    }

    req.session.views++;
    res.write('<p>views: ' + req.session.views + '</p>');
    res.end();
});

https.createServer(credentials, app).listen(8080);

When working correctly, you should be able to open https://localhost:8080 in your browser and see a content like views: 1.

When refreshing the browser, the count should be increased with every request. The max lifetime of the cookie without request is 10 seconds long. After this time, the count will start at 1 again.

Where to find the Cookie in the DevTools

Within the 10 seconds lifetime, you can see the cookie under Application > Storage > Cookies > URL of the express Server inside of the Chrome DevTools. The value of the cookie in this case is encrypted, of course.

Some hints when using AJAX

As you mentioned later, your question belongs to AJAX calls. In general, it's all the same as above. You can see even AJAX created cookies instantly in the Storage > Cookies tab. But only, if your cookie is configured correctly and belongs to the same domain.

The cookies in the Storage tab are selected by the cookie domain and the cookie path. The list will be show and update everything that matches the pattern. So it seems, in your example, that the cookie don't match the requesting page.

As I saw on your page, you are opening the page with the ULR https://***.firebaseapp.com and do a AJAX request to https://***.herokuapp.com/verify/, which are two complete different domains. That's why you don't see them in the Storage tab!

If this will still not work, when using the same domain, set a cookie.path in your session configuration. Then everything should be work as described above. ;)

Answer 2

My question was missing some important information as I now have found out.
What I did not mention is, that the request is send via ajax.
In Chrome (and I guess in most browsers) you don't see those "connection cookies" where the "site" cookies are shown. you see them in the connection tab under the detailed information of the ajax request.