Secure cookies node.js + Heroku + CloudFlare

Question

Secure cookies node.js + Heroku + CloudFlare

I looked at this answer and this answer , but not a cube. My problem is that when my application is available through https://appname.herokuapp.com , everything works fine. but when accessed via https://www.appname.com (which CloudFlare pseudonizes https://appname.herokuapp.com ), it breaks.

In particular, when a user logs in, authentication is processed correctly, but the user's session cookie is not set correctly. Therefore, when a user registered on the network is redirected to the next screen, the request is rejected as unauthorized.

Now I am doing it in express:

var mySession = session({ key: "sid", secret: process.env.SESSIONS_SECRET, proxy: true, cookie: { maxAge: 86400000, secure: true, }, store: rDBStore, resave: false, saveUninitialized: true, unset: 'destroy' }); app.enable('trust proxy'); app.use(mySession);

Am I missing something in my node code or in my CloudFlare settings?

+5

node.js cookies https heroku cloudflare

BarthesSimpson Oct 9 '15 at 0:55

source share

1 answer

Daniel · Answer 1 · 2017-12-29T14:11:12+0000

Maybe this is due to the fact that CloudFlare puts the node application behind the proxy?

Quote from expressjs / session documentation:

If you have node.js behind the proxy server and use secure: true, you need to set the "trusted proxy server" in a explicit form.

app.set('trust proxy', 1)

https://github.com/expressjs/session#cookiesecure

Secure cookies node.js + Heroku + CloudFlare

More articles: