I'm using node with IIS by using iisnode and I'm having troubles setting the CookieSession option secure:true.

I'm using HTTPS on IIS and I'm redirecting any HTTP to HTTPS. But evenw ith this, if I set the CookieSession option secure:true, the session won't have any content after login.

secure: a boolean indicating whether the cookie is only to be sent over HTTPS (false by default for HTTP, true by default for HTTPS).

I'm forced to use secure:false to make it work. Why is it?

CAUSE

iisnode proxies requests from IIS to your node app running express. The ssl connection is terminated at IIS and your node app receives an http request. When the app requires cookies over a secure connection, cookieSession and express-session will not set the cookie.

RESOLUTION

You need to tell Express that it can trust the proxy when the x-forwarded-proto header is set to 'https'.

You can do this by either adding the proxy: true config

app.use(express.session({
  proxy : true, 
  secret: 'your-secret-key',
  cookie: {
    secure: true
  }            
}));

Or you can tell Express to trust the proxy globally:

app.set('trust proxy', 1)

Also set enableXFF to true in your web.config. It makes iisnode add the x-forwarded-proto (and x-forwarded-for) request headers to the express app.

<configuration>
  <system.webServer>

    <!-- ... -->

    <iisnode enableXFF="true" />

  </system.webServer>
</configuration>

PREREQUISITE

iisnode needs to be at least version 0.2.11 to have the enableXFF config add the x-forwarded-proto request HTTP headers. You can check which version of iisnode you have by looking at the properties of your iisnode.dll file probably installed in C:\Program Files\iisnode. If it's < 0.2.11, just download the latest from any of the download links here. After installation it will tell you that you need to reboot your server. I can tell you that an iisreset command (in an elevated cmd box) suffices.