I'm using node with IIS by using iisnode and I'm having troubles setting the CookieSession option secure:true
.
I'm using HTTPS on IIS and I'm redirecting any HTTP to HTTPS.
But evenw ith this, if I set the CookieSession option secure:true
, the session won't have any content after login.
secure: a boolean indicating whether the cookie is only to be sent over HTTPS (false by default for HTTP, true by default for HTTPS).
I'm forced to use secure:false
to make it work. Why is it?
CAUSE
iisnode proxies requests from IIS to your node app running express. The ssl connection is terminated at IIS and your node app receives an http request. When the app requires cookies over a secure connection, cookieSession and express-session will not set the cookie.
RESOLUTION
You need to tell Express that it can trust the proxy when the
x-forwarded-proto
header is set to 'https'.You can do this by either adding the proxy: true config
Or you can tell Express to trust the proxy globally:
Also set
enableXFF
to true in your web.config. It makes iisnode add thex-forwarded-proto
(andx-forwarded-for
) request headers to the express app.PREREQUISITE
iisnode needs to be at least version 0.2.11 to have the
enableXFF
config add thex-forwarded-proto
request HTTP headers. You can check which version of iisnode you have by looking at the properties of youriisnode.dll
file probably installed inC:\Program Files\iisnode
. If it's < 0.2.11, just download the latest from any of the download links here. After installation it will tell you that you need to reboot your server. I can tell you that aniisreset
command (in an elevated cmd box) suffices.