express-session secure: true

我的梦境 提交于 2020-07-06 13:45:56

问题


app.use(session({
    secret: "testing credentials",
    store: sessionStore,
    resave: true,
    saveUninitialized: true,
    cookie  : {
        httpOnly: true,
        //secure: true,
        maxAge  : 60 * 60 * 1000 
    }
}));

I'm working on some security problems on my newly developed website. And after done some research online, if secure=true is set, then it will be more secure. However, If set secure: true, then information inside session will lose every time when the user send another request. Is there a way to solve this problem? If doesn't include "secure: true" in the cookie: , then the session will last for that maxAge.


回答1:


If a cookie is set with the secure flag, it will only be sent to the server by the browser over https, and not plain http. This should be the default for production environments.

However, when developing an app, you probably use plain http on your dev machine. If you set your session cookie as secure in this case (using plain http), the server will never receive it, and you will experience a new empty session on each request.

So in short, you should only set the cookie as secure if you are using https (that is, in later stages of your development pipeline, and definitely in production).

On another note, if you set maxAge, the cookie will be persisted, which is not the best practice for session cookies. Without maxAge, the cookie will be kept until the user closes the browser and not normally persisted to disk, which is the correct behaviour for session cookies.



来源:https://stackoverflow.com/questions/40324121/express-session-secure-true

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!