CordlessWool CordlessWool - 7 months ago 62
Node.js Question

use nodejs module express-session with secure does not work

I use express-session module with redis connection and nginx proxy. If I use it with secure: false the sid cookie is set. But if I set it to secure it does not. I am set a other cookie directly with express and secure: true and it works.

Express-Session config in Express:

//proxy configuration
app.set('trust proxy', 1); // trust first proxy (ngnix proxy)


secret: 'to-secret-to-show',
resave: false,
saveUninitialized: true,
rolling: true,
cookie: {
httpOnly: true,
sameSite: 'strict',
secure: secure
store: new RedisSessionStore({
client: redis,
ttl: 86400, //time to life, one day

If secure is set to true or false depents on the envirement. I try to set it directly to true, but does not make a chnage.

nginx proxy settings:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
#proxy_set_header X-Forwarded-Host $http_host;

proxy_pass http://nodejs;
proxy_redirect off;

When I look at Dokumentation files it should be correct. Do I forgot something? I can not make to heavy test, because I have only my live system with secure connections.


Try adding an X-Forwarded-Proto header:

proxy_set_header X-Forwarded-Proto $scheme;

This is how express-session determines if the connection to nginx was secure.