search

koajs / session

Simple session middleware for koa
MIT License
902 stars 113 forks source link

Secure cookie issue #191

Open imnaifu opened 4 years ago

imnaifu commented 4 years ago

I'm using koa-session for a login service and found a problem when login from http://localhost.

Front-end app using http-proxy with the config like this

{
    "/api", {
      target: "https://test.com",
      changeOrigin: true
    }
}

so when the app is running at localhost:3000, it can sent ajax request to https://test.com but the problem is when login service send the response header with the set-cookie, the cookie has the secure option (I think probably detect that request is from https because the changeOrigin is set to true). And since i'm using http://localhost, the cookie is not saved (or send), so login is failed.

Currently I manually set secure: false in the config, is there a better way of fixing this?

ejose19 commented 4 years ago

Yes, you can use secure: false, however you would need to change that on production. It's better to set up nginx to redirect traffic to your app so you work with https. Also you'll want to use a FQDN to avoid issues with cookies and CORS on development (like myapp.test), so just adding your test domain to /etc/hosts pointing to 127.0.0.1 or ::1 should do it.