I'm using node with IIS by using iisnode and I'm having troubles setting the CookieSession option secure:true
.
I'm using HTTPS on IIS and I'm redirecting any HTTP to HTTPS.
But evenw ith this, if I set the CookieSession option secure:true
, the session won't have any content after login.
secure: a boolean indicating whether the cookie is only to be sent over HTTPS (false by default for HTTP, true by default for HTTPS).
I'm forced to use secure:false
to make it work. Why is it?
CAUSE
iisnode proxies requests from IIS to your node app running express. The ssl connection is terminated at IIS and your node app receives an http request. When the app requires cookies over a secure connection, cookieSession and express-session will not set the cookie.
RESOLUTION
You need to tell Express that it can trust the proxy when the x-forwarded-proto
header is set to 'https'.
You can do this by either adding the proxy: true config
app.use(express.session({
proxy : true,
secret: 'your-secret-key',
cookie: {
secure: true
}
}));
Or you can tell Express to trust the proxy globally:
app.set('trust proxy', 1)
Also set enableXFF
to true in your web.config. It makes iisnode add the x-forwarded-proto
(and x-forwarded-for
) request headers to the express app.
<configuration>
<system.webServer>
<!-- ... -->
<iisnode enableXFF="true" />
</system.webServer>
</configuration>
PREREQUISITE
iisnode needs to be at least version 0.2.11 to have the enableXFF
config add the x-forwarded-proto
request HTTP headers. You can check which version of iisnode you have by looking at the properties of your iisnode.dll
file probably installed in C:\Program Files\iisnode
. If it's < 0.2.11, just download the latest from any of the download links here. After installation it will tell you that you need to reboot your server. I can tell you that an iisreset
command (in an elevated cmd box) suffices.