I am trying to use cookie-session in express / nodejs, my setup works on PCs, but not on mobile:
- on Android/Firefox, I can setup the session cookie, but I cannot modify it once set, I can't event erase it by setting
req.session=null. Android/chrome is fine. - on iOS (Safari, chrome, firefox), the cookie doesn't seem to ever be set (iOS 15.3).
The setup is as follows:
- my website is hosted at "mywebsite.com" (names modified for this forum)
- my API setting/using the cookie is at another URL "mywebsite.io" (different extension)
cookie-session options are:
name: 'session',
keys: ['my secret'],
sameSite: 'none',
secure: true,
httpOnly: true,
signed: true,
overwrite: true,
Both website and API implement https. The API is behind a nginx proxy. Express includes this:
app.set('trust proxy', 1); // trust first proxy
to make sure the secure option works behind the proxy.
The web client is created in React, I run API calls using superagent with the .withCredentials() option.
I have tried:
- setting the
maxAgeoption - setting the domain option to 'mywebsite.io' or 'mywebsite.com'
- setting the 'path' option to '/'
- using the should-send-same-site-none module
Whatever I do, the iOS cookie is always empty (req.session = undefined on subsequent calls), and the Android/Firefox combo wont't let me update it.