Express.js, Cookies, Sessions, OAuth, and Redirects

david karapetyan on November 20, 2018

Getting an OAuth workflow working is surprisingly tricky if you want to provide a seamless experience. There were several issues I ran into that ... [Read Full]
markdown guide

Didn't know that was a thing? Where do I set that option?


I'm not an Express.js user, but according to you can set sameSite: 'lax' instead of true/false.

When SameSite is "Strict" then cookies are only sent on requests that come from the same origin, which means they are not sent when following links or redirects. With "lax" then they are also sent on those cases. It's a bit less secure, but as you can see the strict mode tends to break things.

Update the post accordingly. Thanks for the pointer.


I hope you're not using random secret in the production as you showed in the code snippet. It would not maintain the sessions across server restarts!


I am. The application is not in production and I do want sessions to be flushed during restarts. Easiest way to flush the sessions is to use a random secret token.


Never thought about that. Would be rather annoying if you're using nodemon and your session gets flushed everytime you save a file though, you'd have to log back in all the time.

I'm not reloading the application on every save. My local setup only requires recompiling frontend assets so the backend sessions aren't flushed on every save. They're only flushed when I recompile the backend and restart. When I start working on the backend again I will probably rethink the session flushing strategy.

code of conduct - report abuse