Where is the express session cookie hidden?

Question

Where is the express session cookie hidden?

My express-session works, I tested it with a very short maximum time for cookies (10 seconds), and it works as intended:

 app.use(session({ secret: 'xxx', resave: false, saveUninitialized: true, cookie: { secure: true, maxAge: 10000 } }));

It’s strange that I can’t find the cookie in my Chrome developer tools. Where is the cookie specified by express-session ?

update # 2: See my own answer if you want to know where to see the cookie if you send ajax request to express server in another domain.

update - session management on my express server:

 app.post('/verify', function(req, res){ let out = []; if(!req.session.userId){ if(typeof req.body.token !== 'undefined'){ admin.auth().verifyIdToken(req.body.token) .then(function(decodedToken) { let uid = decodedToken.uid; if(!req.session.userId){ req.session.userId = uid; } res.send(uid); // ... }).catch(function(error) { // Handle error res.send(error); }); }else{ res.send('no token received'); } }else{ res.send('already logged in by session with uid: ' + req.session.userId + ' | session id: ' + req.session.id); } });

and how the server is "started":

 app.listen(port, function () { console.log('Example app listening on port ' + port + '!'); });

The problem is that the session is working, but I can not see the cookies:

+5

javascript node.js express

low_rents Feb 02 '18 at 12:40

source share

2 answers

My question was missing important information, as I now found out. I did not mention that the request is sent via ajax .
In Chrome (and, as it seems to me, in most browsers) you don’t see these “cookies”, where the cookies of the “site” are displayed. you see them on the connection tab under the details of the ajax request.

0

low_rents Feb 09 '18 at 11:30

source share

eisbehr · Accepted Answer · 2018-02-05T09:59:08+0000

TL DR

You can find cookies in Chrome DevTools under:
Application > Storage > Cookies > URL of the express Server

Where to begin

To show that express cookies are stored correctly, I start with a simple test server. Please note that you used cookie.secure = true in your question, which requires https to connect to the server. Otherwise, cookies will be deleted immediately by browsers. So let me use this simple one:

 let fs = require('fs'); let privateKey = fs.readFileSync('../../../apache/conf/ssl.key/server.key', 'utf8'); let certificate = fs.readFileSync('../../../apache/conf/ssl.crt/server.crt', 'utf8'); let credentials = {key: privateKey, cert: certificate}; let https = require('https'); let app = require('express')(); let session = require('express-session'); app.use(session({ secret: 'keyboard cat', resave: false, saveUninitialized: true, cookie: {secure: true, maxAge: 10000} })); app.all('*', function(req, res) { res.status(200); res.setHeader('Content-Type', 'text/html'); if (!req.session.views) { req.session.views = 0; } req.session.views++; res.write('<p>views: ' + req.session.views + '</p>'); res.end(); }); https.createServer(credentials, app).listen(8080);

If it works correctly, you can open https://localhost:8080 in your browser and see the contents, for example views: 1 .

When updating the browser, the score should be increased with each request. The maximum cookie lifetime without a request is 10 seconds. After this time, the counter starts again from 1 .

Where to Find Cookies in DevTools

For 10 seconds of your life, you can see the cookie under Application > Storage > Cookies > URL of the express Server inside Chrome DevTools. The cookie value in this case is, of course, encrypted.

Some tips when using AJAX

As you mentioned later, your question relates to AJAX calls. In general, it is still the same as above. You can even see AJAX created cookies instantly on the Storage > Cookies tab. But only if your cookie is configured correctly and belongs to the same domain.

Cookies on the Storage tab are selected using the domain cookie and cookie path . Everything that matches the template will be shown and updated in the list. Therefore, in your example, it seems that the cookie does not match the requesting page.

As I saw on your page, you open the page using ULR https://***.firebaseapp.com and execute an AJAX request at https://***.herokuapp.com/verify/ , which are two completely different domains . That is why you do not see them on the Storage tab!

If this still does not work, when using the same domain, set cookie.path in the session setting. Then everything should work as described above .;)

Where is the express session cookie hidden?

TL DR

Where to begin

Where to Find Cookies in DevTools

Some tips when using AJAX

More articles: