search

pillarjs / cookies

Signed and unsigned cookies based on Keygrip
MIT License
1.29k stars 152 forks source link

don't check when setting cookie.secure to true #137

Closed lifubang closed 3 years ago

lifubang commented 3 years ago

When the web server is behind a nginx, the value of this.secure is always false thought we use https protocol to connect the nginx. So we will get the error like this:

koa-generic-session set error: Cannot send secure cookie over unencrypted connection
  at Cookies.set (/node_modules/cookies/index.js:94:11)
  at Object.set (/node_modules/koa-generic-session/lib/session.js:93:20)
  at Object.saveNow (/node_modules/koa-generic-session/lib/session.js:280:26)
  at saveNow.next (<anonymous>)
  at onFulfilled (/node_modules/co/index.js:65:19)
  at <anonymous>
  at process._tickCallback (internal/process/next_tick.js:182:7)

Because of this check, we can't use cookie.secure anymore if the web servers are behind the nginx. So I suggest to remove the secure connection check when we set cookie.secure=true.

Signed-off-by: lfbzhm lifubang@acmcoder.com

dougwilson commented 3 years ago

The ops.secure is an option you pass into the constructor of this module: https://github.com/pillarjs/cookies#cookies--new-cookies-request-response--options--

You should pass in true when the connection is https.

lifubang commented 3 years ago

No, the web server doesn't know whether the client uses https or not, because the nginx use http to connect the backend web server.

dougwilson commented 3 years ago

Right, that is why the constructor here you set if it is or not.

lifubang commented 3 years ago

The client use https to connect nginx, the nginx use http to connect the backend web server. This is a common architecture of a web site, we should let secure cookie work.

dougwilson commented 3 years ago

This module does work with that configuration just fine. Just set secure: true in the constructor this module provides.

lifubang commented 3 years ago

I use koa2, how to set this option?

dougwilson commented 3 years ago

I'm not familiar with what koa2 is. I just maintain this module, which is where you opened this issue at. This module provides an API to do exactly what you want. If this module is being used by another module and not by you directly, you should open your issue in that module to get the API information that above layer provides.