有时候 “cookie-session” 的 cookies 无法再被修改。

huangapple go评论70阅读模式
英文:

Sometimes "cookie-session" cookies cannot be modified any more

问题

I have a Node.js Express server where I use the cookie-session module to keep a simple session in a browser cookie.

All works fine, except that sometimes (once every few weeks on my dev machine), I cannot modify the cookie any more, nor can I delete it, BUT I can still read it!

My cookie-session settings:

const options = {
  name: 'session',
  keys: ['some private constant string...'],
  maxAge: 400 * 24 * 60 * 60 * 1000, // 400 days
  path: '/',
  domain: '.mydomain.com', // Replaced by my real domain name
  sameSite: 'strict',
  secure: true,
  httpOnly: true,
  signed: true,
  overwrite: true,
};

The problem is that once it gets into that state, I cannot do much any more: the server controls the cookie in theory, but here, it cannot modify it. Even trying to get rid of it:

req.session = null

doesn't do anything.

The fact that the server still receives and decrypts that cookie is very confusing!

Clearing the cookie manually in the browser and restarting from scratch works just fine.

Do you see a way of debugging it? Worst case, could I get rid of this cookie on the browser side in JavaScript (and how)?

I am using Chromium for my dev work.

英文:

I have a NodeJs Express server where I use the cookie-session module to keep a simple session in a browser cookie.

All works fine, except that sometimes (once every few weeks on my dev machine), I cannot modify the cookie any more, nor can I delete it, BUT I can still read it!

My cookie-session settings:

const options = {
  name: 'session',
  keys: ['some private constant string...'],
  maxAge: 400 * 24 * 60 * 60 * 1000, // 400 days
  path: '/',
  domain: '.mydomain.com', // Replaced by my real domain name
  sameSite: 'strict',
  secure: true,
  httpOnly: true,
  signed: true,
  overwrite: true,
};

The problem is that once it gets into that state, I cannot do much any more: the server controls the cookie in theory, but here, it cannot modify it. Even trying to get rid of it:

req.session = null

doesn't do anything.

The fact that the server still receives and decrypts that cookie is very confusing!

Clearing the cookie manually in the browser and restarting from scratch works just fine.

Do you see a way of debugging it? Worst case, could I get rid of this cookie on the browser side in Javascript (and how)?

I am using Chromium for my dev work.

答案1

得分: 0

答案非常基础,与 cookie-session 无关,只是我自己的愚蠢设置问题。

在生产环境中,我的域名是 mydomain.com。

在开发环境中,我的测试设置使用 local.mydomain.com。

我没有在生产和开发环境之间更改我的 cookie 名称、密钥等等,这是一个错误。因此,如果我在我的开发机器上打开我的生产网站,我会得到一个生产会话 cookie,开发服务器也能够看到,但不知何故无法修改/删除。这将导致非常混乱的会话状态等等。

所以 cookie-session 一切都很好,问题只是我在开发环境中使用了生产环境的子域名!

英文:

The answer is really basic, and has nothing to do with cookie-session, just a stupid setup issue on my end.

In prod, my domain is mydomain.com.

In dev, my test setup uses local.mydomain.com.

I did not change my cookie name, keys etc.. between prod and dev, which is a mistake. So if I was to open my prod site on my dev machine, I would end up with a prod session cookie that the dev server was also able to see, but somehow could not modify/delete. This would lead no very confusing session status etc.

So all is good with cookie-session, the problem is just me using a subdomain of the prod one in dev!

huangapple
  • 本文由 发表于 2023年1月5日 23:49:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/75021071.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定