设置sameSite =“ none”和secure =“ true”不能解决Chrome抛出的新CORS错误

问题描述

我一直在尝试通过express-session修复Google Chrome浏览器引发的新CORS问题，但似乎无法解决。具体来说，此错误：

A cookie associated with a cross-site resource at http://plant-app-test.herokuapp.com/ was set without the `SameSite` attribute. It has been blocked,as Chrome Now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我当前的堆栈是Node.js，Express.js和Passport.js，用于身份验证。您可能会看到以下配置：

app.js

require("dotenv").config();

const path = require("path");
const cors = require("cors");
const logger = require("morgan");
const helmet = require("helmet");
const express = require("express");
const mongoose = require("mongoose");
const bodyParser = require("body-parser");
const cookieParser = require("cookie-parser");

const app_name = require("./package.json").name;
const debug = require("debug")(
  `${app_name}:${path.basename(__filename).split(".")[0]}`
);

const app = express();

// CORS setup
app.use(
  cors({
    credentials: true,preflightContinue: true,optionsSuccessstatus: 200,origin: process.env.REACT_APP_CLIENT_POINT,allowedHeaders: ["Content-Type","Authorization"],methods: ["GET","POST","PUT","HEAD","PATCH","DELETE"],})
);

// Middleware Setup
app.use(helmet());
app.use(logger("dev"));
app.use(cookieParser());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

require("./configs/db.config");
require("./configs/session.config")(app);
require("./configs/passport/passport.config.js")(app);

// Route setup
app.use("/",require("./routes/index"));
app.use("/auth",require("./routes/auth"));
app.use("/app",require("./routes/application"));

module.exports = app;

session-config.js

const session = require("express-session");
const mongoose = require("mongoose");
const MongoStore = require("connect-mongo")(session);
const cookieParser = require("cookie-parser");

module.exports = (app) => {
  app.use(
    session({
      secret: process.env.SESS_SECRET,name: "sessionID",cookie: {
        sameSite: "none",secure: true,},resave: false,saveUninitialized: false,store: new MongoStore({
        mongooseConnection: mongoose.connection,ttl: 60 * 60 * 24 * 1000,}),})
  );
};

passport-config.js

const passport = require("passport");

require("./serializers.config");
require("./local-strategy.config");
require("./google-strategy.config");
require("./facebook-strategy.config");

module.exports = (app) => {
  app.use(passport.initialize());
  app.use(passport.session());
};

serializers-config.js

const passport = require("passport");
const User = require("../../models/User.model");

passport.serializeUser(function (user,done) {
  done(null,user._id);
});

passport.deserializeUser(async function (id,done) {
  await User.findById(id,function (err,user) {
    if (!err) done(null,user);
    else done(err,null);
  });
});

我在会话cookie上尝试了几种不同的配置，并且在我的开发人员上运行良好。环境（均位于HTTP：// localhost上，但具有不同的端口）。有人可以帮忙，因为这不允许我为用户保留会话并为我的工作流利用他们存储在cookie中的id吗？

谢谢！

解决方法

对于我的 heroku 应用程序和非常相似的情况，我通过将 proxy : true, 添加到 express-session 配置来修复它。我相信这启用了 secure: true 所需的 SSL 通信。

先尝试使用cookieParser，然后再启用cors-我真的不明白为什么，但是我相信明码排序。之后，尝试在此处注入会话“ app.use（injectSession）”，您可能需要调整会话配置代码以适合这种风格。我认为您不需要在会话配置文件中再次导入cookieParser，也许它会覆盖您以前的配置。

cookies express express-session javascript