如何设置安全cookie使用heroku + node.js + express？ [英] How to set secure cookie using heroku + node.js + express?

问题描述

 express：3.0.3，
node：> = 0.8.14，
 
 ... 
 app.use（express。会话（{
 secret：'somesecret'，
 store：// store works fine，session are stored 
 key：'sid'，
 cookie：{
 secure ：true，//它没有安全标志（cookie设置）工作
 proxy：true，//尝试使用这个，没有区别
 maxAge：5184000000 // 2个月
} 
}））; 
 ... 
  

在本地主机上一切正常，但在heroku上我似乎不能够设置一个安全的cookie。我究竟做错了什么？ 文档说负载均衡器会终止SSL，是否需要配置？

感谢很多

解决方案

您是正确的，Heroku在到达您的应用程序之前终止SSL。这导致express看到非ssl流量，这可能是为什么在Heroku上运行时拒绝设置cookie。

Heroku设置一个 X -Forwarded-Proto 标头与原始协议。我没有测试过，但根据文档，您必须通过将 trust proxy 设置为 here 。 req.protocol 此处中的其他详细信息。

I have a node.js app running on the Cedar stack and I'm puzzled why secure cookies don't work.

"express": "3.0.3",
"node": ">=0.8.14",

...
app.use(express.session({
        secret : 'somesecret',
        store : // store works fine, sessions are stored
        key : 'sid',
        cookie : {
            secure : true, // it works without the secure flag (cookie is set)
            proxy : true,  // tried using this as well, no difference
            maxAge: 5184000000 // 2 months
        }
}));
...

On localhost everything works fine, but on heroku I don't seem to be able to set a secure cookie. What am I doing wrong? The docs say the load balancer terminates SSL, is it something to configure over there?
thanks a lot

解决方案

You are correct that Heroku terminates SSL before it reaches your app. That causes express to see non-ssl traffic, and that's likely why it's refusing to set the cookie when running on Heroku.

Heroku sets a X-Forwarded-Proto header with the original protocol. I haven't tested this, but according to the documentation, you have to tell express to respect the information in that header by setting trust proxy as documented here. Additional details found under req.protocol here.

这篇关于如何设置安全cookie使用heroku + node.js + express？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！