ALB, SSL, Cookie.secure set to true, req.session not work

  Kiến thức lập trình

I’m having a web app with express, data flow is like:

client -> website -> ALB(with imported certificate) -> ECS -> fargate -> express APP.

and inside the app.js, app.use(ExpressSession(esConfig)), esconfig:

esConfig = {
    name: serverConfig.session.name,
    cookie: {
        maxAge: 2 * 60 * 60 * 1000,
        secure: true,
    },
    secret: serverConfig.session.secret,
    resave: false,
    saveUninitialized: false,
};

before that, cookie.secure is false, everything works fine, now we have to set cookie,secure to true, after that, in our production env(via HTTPS) I find i cannot set or pass req.session.varibles, what should be the problem?

I tried set :app.set('trust proxy', 1);, it wont work.

inside app.js:

const express = require('express')
const app = express()
app.set('trust proxy', 1); 

function setupSessions(app) {
    let esConfig;
    
    esConfig = {
        name: serverConfig.session.name,
        cookie: {
            maxAge: 2 * 60 * 60 * 1000,
            secure: true,
        },
        secret: serverConfig.session.secret,
        resave: false,
        saveUninitialized: false,
    };
    ...//other code
    app.use(ExpressSession(esConfig));
}
let router = require('../common/auth')(app, express)

And im using req.session in auth.js below, and this will fail to work because req.session cannot pass any varibles.

function googleAuthSetup() {
  log.warn('googleAuthSetup')
    let configOauth2Google = configOauth2.google
    if (!configOauth2Google) return

    passport.use(new GoogleStrategy({
        clientID: configOauth2Google.clientId,
        clientSecret: configOauth2Google.clientSecret,
        userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo"
    },
        (accessToken, refreshToken, profile, done) => {
            let lowerEmail = "noemail"
            profile.emails.forEach(record => {
                if (record.verified) lowerEmail = record.value.toLowerCase()
            })

            mongoose.model(configAuth.schema).findOne({
                "email": lowerEmail
            }, "email dateFormat tocVersion +isGoodMeasureAdmin obfuscatedEmail showDeleted", (err, dbuser) => {
                if (err) throw err

                if (dbuser) {
                    if (!dbuser.isGoodMeasureAdmin && serverConfig.testMode && lowerEmail.indexOf('goodmeasuretesting') == -1) {
                        return done(null, false, {
                            message: "Non-admin cannot log in to non-production server."
                        })
                    }
                    let lid = _dbUserLoginData(dbuser)
                    if (profile.photos && profile.photos.length) lid.picture = profile.photos[0].value
                    lid.name = profile.displayName
                    done(null, lid)
                } else {
                    log.info("login failed: " + lowerEmail + " not registered in system")
                    return done(null, false, {
                        message: lowerEmail + " not registered in system."
                    })
                }
            })
        }
    ))

    router.get('/auth/google',
        (req, res, next) => {
            req.session.redirect_uri = _getReferrerHostFromRequest(req) + "/auth/google/oauth2callback"
            console.log("_getReferrerHostFromRequest(req)",_getReferrerHostFromRequest(req));
            passport.authenticate('google', {
                scope: configOauth2Google.scope,
                callbackURL: req.session.redirect_uri,
                prompt: 'select_account'
            })(req, res, next)
        }
    )

    router.get('/auth/google/oauth2callback', (req, res, next) => {
        passport.authenticate('google', { callbackURL: req.session.redirect_uri }, new FinalAuthHandler(req, res))(req, res, next)
    })
}

LEAVE A COMMENT