we have a node.js/express application sitting behind stunnel for ssl termination. I cannot figure out how to force secure session cookies. looking at the session middleware source:
// only send secure session cookies when there is a secure connection.
// proxySecure is a custom attribute to allow for a reverse proxy
// to handle SSL connections and to communicate to connect over HTTP that
// the incoming connection is secure.
var secured = cookie.secure && (req.connection.encrypted || req.connection.proxySecure);
if (secured || !cookie.secure) {
res.setHeader('Set-Cookie', cookie.serialize(key, req.sessionID));
}
I apparently have to set req.connection.proxySecure to true, but I don't know how to do that. It appears stunnel is supposed to communicate this "over HTTP", but stunnel can't set headers. So I am at a loss. Should I instead try to set it locally by a custom bit of middleware before the session middleware, or in a connect config variable somewhere?
Thanks for any help
Ensure the proxy is setting the X-Forwarded-Proto: https header. You must then to add the proxy:true config param to the session middleware.