Search code examples
node.jsfirebase-authenticationsession-cookies

req.cookies.session is undefined in Chrome

I'm implementing session login and session cookie verification with node.js + express + firebase. My code below works in Firefox but not in Chorme. In Chrome, req.cookies.session is undefined

Here is my code:

    app.use(bodyParser.json());
    app.use(bodyParser.urlencoded({
        extended: true
    }));

    app.use(cookieParser());

async sessionLogin(req, res) {
        try {
            // Verify idToken
            const idToken = req.body.idToken.toString();
            var decodedToken = await this.authService.verifyIdToken(idToken);

            // Only process if the user just signed in in the last 5 minutes.
            if (new Date().getTime() / 1000 - decodedToken.auth_time > 5 * 60)
                throw { code: "auth/expired-token", message: "The provided token is expired."}

            // Set session expiration to 5 days.
            const expiresIn = 60 * 60 * 24 * 5 * 1000;
            const options = { maxAge: expiresIn, httpOnly: true, secure: true };

            var sessionCookie = await this.authService.createSessionCookie(idToken, { expiresIn });

            res.cookie('session', sessionCookie, options);
            res.json({ status: 'success' });
        } catch(err) {
            res.status(401).json(err);
        }
    }

    async checkSessionCookieMiddleware(req, res, next){
        const sessionCookie = req.cookies.session || '';
        console.log(sessionCookie);

        try {
            var decodedClaims = await this.authService.verifySessionCookie(sessionCookie, true /** checkRevoked */);
            req.user = decodedClaims;
            next();
        } catch(err){
            console.log(err);
            res.redirect("/");
        }
    }

Login is successful in any browser, then method checkSessionCookieMiddleware fails in Chrome as req.cookies.session is undefined.

Where's my mistake?

SOLUTION:

I found the solution. I had to change const options = { maxAge: expiresIn, httpOnly: true, secure: true }; to const options = { maxAge: expiresIn, httpOnly: true, secure: false /* to test in localhost */ };

scure: false did the trick as I'm still serving from localhost. Thanks also to @user2740650.

Solution

  • I found the solution. I had to change

    const options = { maxAge: expiresIn, httpOnly: true, secure: true };

    to

    const options = { maxAge: expiresIn, httpOnly: true, secure: false /* to test in localhost */ };

    scure: false did the trick as I'm still serving from localhost. Thanks also to @user2740650.