I have two web applications in an app suite, both running NodeJs on the same server. I want a user to log into one and be automatically signed in on the other. I recognize that I could send a GET request with all necessary data, but I would rather just automatically sync cookies. If I use express-session to give cookies the same secret key on both apps, can they share cookies? If not, what is the best and most secure way to transfer cookies from one site to another?
Cookies from a browser are associated with a domain, not a port. So, multiple servers on the same domain, but different ports will receive the same cookies from the browser automatically without you doing anything as long as the cookies are not restricted to a particular path.
You can also configure cookies to be shared with subdomains if you want so even different hosts on a subdomain could share cookies.
I want a user to log into one and be automatically signed in on the other.
Both servers will see the same cookies so if your login mechanism recognizes the cookies from one server in the other server, then it should just all work.
If I use express-session to give cookies the same secret key on both apps, can they share cookies?
Two separate node.js apps would have two separate express-session instances. You would have to store session data in a common, shared database for two separate servers to be able to access the same session data.