I'm trying to set-up secure cookies on an express app running on Heroku. I've tried both app.set('trust proxy', true) and setting proxy: true in the session config. In both cases, the cookie fails to be modified once deployed to Heroku using an SSL cert.
Other things: I never implemented resave = true in the session since mongo-connect has a touch method.
userSessionStore = new MongoDBStore({
url: 'foo',
collection: 'bar',
touchAfter: 3600,
});
const sess = {
secret: process.env.SESSION_SECRET,
name: 'name',
resave: false,
saveUninitialized: true,
cookie: {
maxAge: 1 * 24 * 60 * 60 * 1000
},
store: userSessionStore
};
if (process.env.NODE_ENV === 'production') {
sess.cookie = {
secure: true,
httpOnly: true,
domain: baseURL
};
}
app.use(session(sess));
if (process.env.NODE_ENV === 'production') {
app.set('trust proxy', true);
}
This problem was due to the baseURL variable not matching both the host and the subdomain on heroku. Since heroku hosts many apps at foo.herokuapp.com, matching the subdomain is required.