When setting the cookie-session cookie name, this code in config/cookieSession.config.js can be problematic:
The issue can arise when deploying to production, if you haven't set the COOKIE_SECRET environment variable, the app will use a generated name based on timestamp. The problem arises when deploying to a multi-server environment, each server will generate a cookie of a different name, causing issues when users roam across servers.
One solution would be to make it clear in docs that COOKIE_SECRET should always be set in Production, and run a check when in Production mode that will cause the server startup to fail.
Another solution would be to not use a time-based name by default, and just specify something arbitrary (ie, the default name when using cookie-session is session)
Summary
When setting the cookie-session cookie name, this code in
config/cookieSession.config.js
can be problematic:The issue can arise when deploying to production, if you haven't set the
COOKIE_SECRET
environment variable, the app will use a generated name based on timestamp. The problem arises when deploying to a multi-server environment, each server will generate a cookie of a different name, causing issues when users roam across servers.One solution would be to make it clear in docs that COOKIE_SECRET should always be set in Production, and run a check when in Production mode that will cause the server startup to fail.
Another solution would be to not use a time-based name by default, and just specify something arbitrary (ie, the default name when using cookie-session is
session
)