How to set session cookie (.sid) as secure?

Hello, I know that there’s a setting for the .auth cookie to be secure, and it works. But how can I achieve this for the .sid cookie? (the session cookie as far as I understand) *My app is going through a security audit and I have to accomplish this in order to be able to deploy to production servers…

I’ve been trying under config.js, but I haven’t succeeded.

Thanks!

I’ve been exploring with express (https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely) using:

session({
  name: 'session',
  keys: ['key1', 'key2'],
  cookie: {
    secure: true,
    httpOnly: true,
    domain: 'example.com',
    path: 'foo/bar',
    expires: expiryDate
  }

On config.js lines 17-20 if I add the “cookie: {” part, I get a nodejs err (ERR_HTTP_HEADERS_SENT)

image

When and where do you get the nodejs error?

Hi, after adding lines 21-24 to config.js as shown on the screenshot and logging in (API action > Security provider: Security login), the server log in wappler shows the error.

Maybe it would be easier to dismiss what I’ve been trying. The main objective is to “get the .sid cookie secure variable = true.”

image

Thanks a lot!

I tested it and the changes you made are correct, that should work. Make sure to delete the old session cookie so that it creates a new one.

The ERR_HTTP_HEADERS_SENT error is when node tries to set the headers after they were already send to the client. Not sure why you are getting that after setting the cookie options.

Hi, I’m going to deliver the app I’m working on and in a few days I’m going to set up a clean project to test this secure cookie changes and I’ll get back to you with the results.

It turns out the security audit was passed regardless of this ‘non-secure’ cookie.

Thanks a lot!

The only thing that the secure flag does is that the cookie will only be accepted when the site is served over https. It does not make your cookie more secure. The only flag that I would always set with session and security cookies is the httpOnly flag, since it makes sure the cookies can’t be manipulated in the client browser.