Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't set partitioned cookie even though I updated all of the package #972

Open
JamieNagy opened this issue Feb 12, 2024 · 6 comments
Open
Labels

Comments

@JamieNagy
Copy link

I'm using express-session:

app.use(cookieParser());

app.use(
  session({
    store: new pgSession({
      pool: db, 
      tableName: "session", 
    }),
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
      sameSite: "none",
      secure: true, 
      partitioned: true,
      maxAge: 30 * 24 * 60 * 60 * 1000, 
    },
  })
);

I updated all of the packages, including express-session and cookie, but the partitioned attribute is not being recognized and is not being set. What should I do?

@esoylugoto
Copy link

@HoneyMeat express is using cookie version 0.5.0 internally, which discards the partitioned option. You can manually build your cookie and set your response header. For that you have to use cookie 0.6.0 as a dependency:

import { serialize } from 'cookie';
const cookie = serialize('myCookieName', 'mySessionId', {
  httpOnly: true,
  sameSite: 'none',
  secure: true,
  partitioned: true,
  path: '/',
});
return res.setHeader('Set-Cookie', cookie).status(200).send();

@JoseAlbertoVazq
Copy link

Same problem over here. Updated express package to 4.19.0 and express-session to 1.18.0, both have 0.6.0 version of the cookie package. The cookie is being set with no partition applied.

app.use(session({
        resave: false,
        saveUninitialized: false,
        secret: mySecret,
        cookie: {
          domain: myDomain
          path: '/',
          sameSite: !_.isNil(sameSite) ? sameSite : 'lax',
          secure: !!(!_.isNil(secure) && secure.toLowerCase() === 'true'),
          partitioned: true, // <-- HERE is where the attribute has to be set according to Express Session docs
        },
        store: storeObject,
      }));

Any tips on this??

@esoylugoto
Copy link

@JoseAlbertoVazq if you check with developer tools, what do you see on your response headers, the response which sets the cookie?
If it is malformed browser might silently discard it.

@esoylugoto
Copy link

esoylugoto commented Mar 25, 2024

@JoseAlbertoVazq If you are checking the dev tools on a different domain than which the cookie is set, your cookie connect.sid is expected to not show up. Are you sure you are checking it from the domain it is set?

Partition option makes the cookie work only from the domain it is set.

@JoseAlbertoVazq
Copy link

@JoseAlbertoVazq If you are checking the dev tools on a different domain than which the cookie is set, your cookie connect.sid is expected to not show up. Are you sure you are checking it from the domain it is set?

Partition option makes the cookie work only from the domain it is set.

The cookie is always shown but when I set the Partitioned attribute, and it always was like that, I'm running it on the same domain (on local, and on staging, but those are two different tests local --> local and staging --> staging)

@JoseAlbertoVazq
Copy link

JoseAlbertoVazq commented Apr 2, 2024

Okay so I found the solution for my case. I am also using cookie-parser and its last release if from three years ago, so the cookie lib in its package.json was the 0.4.1 version.

Make sure to add this to your package.json

npm:

  "overrides": {
    "cookie": "0.6.0",
    "cookie-signature": "1.2.1"
  }

yarn:

  "resolutions": {
    "**/cookie": "0.6.0",
    "**/cookie-signature": "1.2.1"
  }

Also, ensure that the secure attribute in the CookieOptions object is set to true and is not being overridden by anything else in any other place in your code.

Now it's working for me !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants