Nodejs (Express) cannot set the SameSite attribute of cookies to None

Asked 2 months ago, Updated 2 months ago, 5 views

We are creating a backend for Twitter's view app on Nodejs (Express).
The login method is to use Twitter Api to save the token returned after authentication to the session and restore the session from the cookie when accessed again.
However, when accessing again, the cookie is blocked and the session information cannot be restored.
The browser I use is chrome, but from chrome version 80, if you do not specify the SameSite attribute, the SameSite attribute is Lax (sends cookies when called from the same domain) and in this case, the front and backend are different domains, so cookies are blocked.
So I was trying to set the SameSite attribute to None (send cookies no matter which site calls me), but I couldn't set it well, so I asked.
I think that if we devise the app.use(session({}) part, we can set the SameSite attribute to None...
If anyone knows the solution, could you help me?
Thank you for your cooperation.

Source Codes Affected

callback_url=env.URL+"oauth/callback";

app.use(
    cookieSession({
      name: "session",
      keys: ["thisappisawesome",
      maxAge —24*60*60*100
    })
);

app.use(cookieParser());

// Save to Session
passport.serializeUser(function(user, done){
    done(null, user.id);
});

// Available from req.user on restore router from session
passport.deserializeUser(function(user, done){
    done (null, user);
});

US>passport.use(
    new TwitterStategy({
        consumerKey: env.TWITTER_CONSUMER_KEY,
        consumerSecret: env.TWITTER_CONSUMER_SECRET,
        callbackURL:callback_url
    },
    async (token, tokenSecret, profile, done) = > {

        return done (null, profile);
    }
));

app.use(session({
    allowedHeaders: ['sessionId', 'Content-Type',
    ExposedHeaders: ['sessionId',
    secret: 'reply-analyzer',
    save: false,
    saveUninitialized:false
}));

varcors_set = {
    origin —env.CORS_ORIGIN_URL,
    methods: "GET, HEAD, PUT, PATCH, POST, DELETE",
    credentials —true // allow session cookie from browser to pass through
};

app.use(passport.initialize());
app.use(passport.session());
app.use(cors(cors_set));

Tried

1. I tried setting the cookie option in app.use(session({}), but I could not set the changed SameSite attribute to None

app.use(session({
    allowedHeaders: ['sessionId', 'Content-Type',
    ExposedHeaders: ['sessionId',
    secret: 'reply-analyzer',
    save: false,
    saveUninitialized: false,
    Cookies: {
        secure —true,
        sameSite: 'None'
      }
}));

2. I tried using the following middleware (express-samesite-default), but I was unable to set the changing SameSite attribute to None

varsameSiteCookieMiddleware=require("express-samesite-default");

app.use(sameSiteCookieMiddleware.sameSiteCookieMiddleware());

Supplementary information (for example, FW/Tool Version)

Node.js v12.18.2
chrome v84.0.4147.135

node.js google-chrome twitter cookie session

2022-09-30 11:13

1 Answers

I am writing down the method that I was able to solve because I was able to solve it myself.
There are cookieSession and session in the code, but either one seems to be fine, so I decided to use cookieSession this time.
Finally, the following is what happened:

var cookieSession=require("cookie-session");
app.set('trust proxy',1)
app.use(
    cookieSession({
      name: "__session",
      keys: ["key1",
        maxAge —24*60*60*100,
        secure —true,
        httpOnly:true,
        sameSite: 'none'
    })
);


2022-09-30 11:13

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.