如何使用 heroku + node.js + express 设置安全 cookie? [英] How to set secure cookie using heroku + node.js + express?

问题描述

我有一个在 Cedar 堆栈上运行的 node.js 应用程序，但我很困惑为什么安全 cookie 不起作用.

I have a node.js app running on the Cedar stack and I'm puzzled why secure cookies don't work.

"express": "3.0.3",
"node": ">=0.8.14",

...
app.use(express.session({
        secret : 'somesecret',
        store : // store works fine, sessions are stored
        key : 'sid',
        cookie : {
            secure : true, // it works without the secure flag (cookie is set)
            proxy : true,  // tried using this as well, no difference
            maxAge: 5184000000 // 2 months
        }
}));
...

在 localhost 上一切正常，但在 heroku 上我似乎无法设置安全 cookie.我究竟做错了什么?docs 说负载均衡器会终止 SSL，是否需要在那里进行配置?
非常感谢

On localhost everything works fine, but on heroku I don't seem to be able to set a secure cookie. What am I doing wrong? The docs say the load balancer terminates SSL, is it something to configure over there?
thanks a lot

推荐答案

Heroku 在 SSL 到达您的应用程序之前终止它是正确的.这会导致 express 看到非 ssl 流量，这可能就是它在 Heroku 上运行时拒绝设置 cookie 的原因.

You are correct that Heroku terminates SSL before it reaches your app. That causes express to see non-ssl traffic, and that's likely why it's refusing to set the cookie when running on Heroku.

Heroku 使用原始协议设置 X-Forwarded-Proto 标头.我还没有测试过这个，但根据文档，你必须通过设置 trust proxy 来告诉 express 尊重该标头中的信息 此处.在req.protocol此处下可找到其他详细信息.

Heroku sets a X-Forwarded-Proto header with the original protocol. I haven't tested this, but according to the documentation, you have to tell express to respect the information in that header by setting trust proxy as documented here. Additional details found under req.protocol here.

这篇关于如何使用 heroku + node.js + express 设置安全 cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！