Cookie not shown/stored in the browser


I have a question regarding cookies. Here I’m using apollo-server-express, express-session and redis for all of the authentication process. My problem with it is that in apollo studio my cookie, which is created inside the UserResolver under the mutation login, isn’t shown there. Hence why the query me returns null. Is also worth mentioning I’m not getting any errors while doing all of this.

For better understanding I’ll leave some screenshots below.

I hope someone can help me out here. Thanks in advance.

P.S. Sorry for the cluttered screenshots. Could only attach one file because I just created this account.

Some notes:

  • main function = index file
  • login mutation = logs in user and should create a cookie
  • me query = should check if user is logged in
  • (rest of the screenshots are executions of login, me and some settings)

Hi there! Hugely appreciate the screenshots, really helps clear up uncertainty :pray:

The short answer is hardcoding the cookie’s secure field to be true + using the workaround described here (bottom) should make the connection work

The longer explanation is

  • having cookies work from one site to another requires sameSite: none (which I see has already been set)
  • sameSite: none requires secure: true (which I see is currently dependent on the environment)
  • there’s an open issue on express-session where it doesn’t send the set-header header when encountering a request made to a server running with “secure: true” running on a non-https endpoint even for localhost
  • setting trust proxy to true on the server, and sending x-forwarded-proto to https as the header will trick it into setting the cookie

There’s a different workaround suggested by express-session’s maintainer to overwrite the value of using object.defineProperty on your server, should also work

Hope that helps!

Hi, first of all I hugely appreciate the well explained answer you gave me. If I’m being honest here I have not idea how to set/use those tips you just mentioned especially those on this paragraph:
“setting trust proxy to true on the server, and sending x-forwarded-proto to https as the header will trick it into setting the cookie”.
Could you provide me a code example how that would work and if it’s not much to ask for also show me where I have to add this inside my code.
And lastly I just wanted to mention that I now hard coded the true value on secure but unfortunately it still doesn’t work as expected.

Best Regards,

Yup no problem!

Try adding this line before your first app.use (line 22)

app.set('trust proxy', process.env.NODE_ENV !== 'production')

Then in Studio’s Explorer’s headers tab, add this header x-forwarded-proto with a value of https

Lemme know if that works!

It’s working now. Thank you :grinning: .

1 Like