Can't set partitioned cookie even though I updated all of the package

[JamieNagy]

I'm using express-session:

app.use(cookieParser());

app.use(
  session({
    store: new pgSession({
      pool: db, 
      tableName: "session", 
    }),
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
      sameSite: "none",
      secure: true, 
      partitioned: true,
      maxAge: 30 * 24 * 60 * 60 * 1000, 
    },
  })
);

I updated all of the packages, including express-session and cookie, but the partitioned attribute is not being recognized and is not being set. What should I do?

[esoylugoto]

@HoneyMeat express is using cookie version 0.5.0 internally, which discards the partitioned option. You can manually build your cookie and set your response header. For that you have to use cookie 0.6.0 as a dependency:

import { serialize } from 'cookie';
const cookie = serialize('myCookieName', 'mySessionId', {
  httpOnly: true,
  sameSite: 'none',
  secure: true,
  partitioned: true,
  path: '/',
});
return res.setHeader('Set-Cookie', cookie).status(200).send();

[JoseAlbertoVazq]

Same problem over here. Updated express package to 4.19.0 and express-session to 1.18.0, both have 0.6.0 version of the cookie package. The cookie is being set with no partition applied.

app.use(session({
        resave: false,
        saveUninitialized: false,
        secret: mySecret,
        cookie: {
          domain: myDomain
          path: '/',
          sameSite: !_.isNil(sameSite) ? sameSite : 'lax',
          secure: !!(!_.isNil(secure) && secure.toLowerCase() === 'true'),
          partitioned: true, // <-- HERE is where the attribute has to be set according to Express Session docs
        },
        store: storeObject,
      }));

Any tips on this??

[esoylugoto]

@JoseAlbertoVazq if you check with developer tools, what do you see on your response headers, the response which sets the cookie? If it is malformed browser might silently discard it.

[esoylugoto]

@JoseAlbertoVazq If you are checking the dev tools on a different domain than which the cookie is set, your cookie connect.sid is expected to not show up. Are you sure you are checking it from the domain it is set?

Partition option makes the cookie work only from the domain it is set.

[JoseAlbertoVazq]

@JoseAlbertoVazq If you are checking the dev tools on a different domain than which the cookie is set, your cookie connect.sid is expected to not show up. Are you sure you are checking it from the domain it is set?

Partition option makes the cookie work only from the domain it is set.

The cookie is always shown but when I set the Partitioned attribute, and it always was like that, I'm running it on the same domain (on local, and on staging, but those are two different tests local --> local and staging --> staging)

[JoseAlbertoVazq]

Okay so I found the solution for my case. I am also using cookie-parser and its last release if from three years ago, so the cookie lib in its package.json was the 0.4.1 version.

Make sure to add this to your package.json

npm:

  "overrides": {
    "cookie": "0.6.0",
    "cookie-signature": "1.2.1"
  }

yarn:

  "resolutions": {
    "**/cookie": "0.6.0",
    "**/cookie-signature": "1.2.1"
  }

Also, ensure that the secure attribute in the CookieOptions object is set to true and is not being overridden by anything else in any other place in your code.

Now it's working for me !!