0

I'm using express-session to set a session cookie with a redis session store. When the user logs in I can successfully set a cookie logging them in as shown by clicking the "lock" icon next to the page url in chrome and viewing the cookie. However, when the page is refreshed my user is logged out as the cookie is gone.

How can I prevent loss of that cookie on page refresh?

My session options minus my routes look like this and I run my client on https.

let sessionOptions = {
  secret: "REDACTED_FROM_STACKOVERFLOW",
  resave: true,
  name: "redisSession",
  expires: new Date(Date.now() + (60 * 1000 * 60 * 100000)),
  store: new RedisStore({client: redisClient}),
  cookie: {
    sameSite: 'none',
    secure: true, 
    httpOnly: true,
    maxAge: 1000 * 60 * 1000
  },
  rolling: true,
  saveUninitialized: true
};
app.use(cors({credentials: true, origin: 'https://localhost:8080'}));
const httpsOptions = {
  key: fs.readFileSync(process.env.localHostCertKeyPath),
  cert: fs.readFileSync(process.env.localHostPemPath)
}
app.use(cookieParser("REDACTED_FROM_STACKOVERFLOW"));
const httpsOptions = {
  key: fs.readFileSync(process.env.localHostCertKeyPath),
  cert: fs.readFileSync(process.env.localHostPemPath)
}
const server = https.createServer(httpsOptions, app).listen(
  constants.LOCAL_PORT,
  constants.HOST_NAME,
  () => {
    console.log("https://" + constants.HOST_NAME + ':' + constants.LOCAL_PORT + '/');
  }
);
  • Redis's logs show no errors.
  • The cookie is set. its just being deleted afterwards. My login and logout routes work.
  • The expiration time of my cookies as seen in chrome is well after I refresh the page.
  • The req.session object and set variables are accessable using the cookie if the page is not refreshed
  • I'm using express, express-session, redis and connect-redis libraries.
  • Front end is on react.

Edit:

Request screenshot

Full Text:

redisSession=s:YGOMoRx_wWiIiqiYOYaIfcbbKfBujg7w.92wwY6TupTwVjRs4FLbWLxxSi6bm5XW7fDwNfXInW4Q; Path=/; Expires=Sun, 07 Mar 2021 16:18:28 GMT; HttpOnly; Secure; SameSite=None

lleontan
  • 63
  • 7
  • 1
    Can you please share a screenshot of the "login request" (In the browser open the dev tools, go to the network tab -> click on the request that sets that cookie, scroll to the "Set-Cookie" header in the response headers)? – Leibale Eidelman Mar 06 '21 at 22:26
  • [Here's the screenshot of the request with the set-cookie](https://imgur.com/a/OMV45Yc). Full text is "redisSession=s:YGOMoRx_wWiIiqiYOYaIfcbbKfBujg7w.92wwY6TupTwVjRs4FLbWLxxSi6bm5XW7fDwNfXInW4Q; Path=/; Expires=Sun, 07 Mar 2021 16:18:28 GMT; HttpOnly; Secure; SameSite=None" – lleontan Mar 06 '21 at 23:42
  • 1
    Try to follow [these steps](https://stackoverflow.com/questions/46288437/set-cookies-for-cross-origin-requests#46412839). – Leibale Eidelman Mar 07 '21 at 00:09

1 Answers1

0

When the page is refreshed the cookie disappears but my status checkup route actually sets the cookie again but the chrome "lock" icon cookie count didn't show that it existed. As a result my client had the cookie in storage/cookies but wasn't rendering that it was logged in. I made a function call to update my visuals and the cookie showed up in the "lock" dropdown for some reason.

lleontan
  • 63
  • 7