Skip to content

Add sameSite 'auto' support to match secure 'auto' pattern #1087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
djunehor wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add sameSite 'auto' support to match secure 'auto' pattern #1087

djunehor wants to merge 5 commits into from
+188 −2

Conversation

@djunehor
Copy link

@djunehor djunehor commented Nov 10, 2025

This PR adds support for sameSite: 'auto' option that automatically sets the SameSite cookie attribute based on connection security, similar to the existing secure: 'auto' feature.

When the connection is secure (HTTPS), SameSite is set to 'None' to enable cross-site usage, and when insecure (HTTP), it's set to 'Lax' for better security. This solves real-world scenarios like SAML authentication where the connection security isn't known at configuration time.

The implementation follows the same pattern as secure: 'auto', uses the existing issecure() function, and includes comprehensive test coverage with no breaking changes.

Fixes #1081

bjohansebas
bjohansebas approved these changes Dec 18, 2025
View reviewed changes
Copy link
Member

@bjohansebas bjohansebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Overall, adding that option looks good to me, I think this would be good to have for v1.

By the way, I added more tests to better verify its behavior with different configurations

test/session.js
Comment on lines +961 to +967
it('should not set cookie when insecure', function (done) {
request(this.server)
.get('/')
.set('X-Secure', 'false')
.expect(shouldNotHaveHeader('Set-Cookie'))
.expect(200, 'false', done)
})
Copy link
Member

@bjohansebas bjohansebas Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behavior here is interesting and cannot be changed since it would be a breaking change. However, because secure is set to true in the configuration, during cookie creation, which happens on this line

session/index.js

Line 161 in 2cd6561

req.session.cookie = new Cookie(cookieOptions);
takes the value from the configuration rather than from the route. As a result, the cookie ends up being a secure cookie. Since it is a secure cookie, it will not be created when the request is insecure (HTTP)

session/index.js

Line 235 in 2cd6561

if (req.session.cookie.secure && !issecure(req, trustProxy)) {
.

@bjohansebas bjohansebas self-assigned this Dec 18, 2025
@bjohansebas bjohansebas added this to the 1.19.0 milestone Dec 18, 2025
rmcsharry
rmcsharry reviewed Dec 22, 2025
View reviewed changes
index.js
Comment on lines 163 to 171
if (cookieOptions.secure === 'auto') {
req.session.cookie.secure = issecure(req, trustProxy);
}

if (cookieOptions.sameSite === 'auto') {
req.session.cookie.sameSite = issecure(req, trustProxy) ? 'none' : 'lax';
}
Copy link

@rmcsharry rmcsharry Dec 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why call the function twice when once will do?

Suggested change
if (cookieOptions.secure === 'auto') {
req.session.cookie.secure = issecure(req, trustProxy);
}
if (cookieOptions.sameSite === 'auto') {
req.session.cookie.sameSite = issecure(req, trustProxy) ? 'none' : 'lax';
}
const isSecure = issecure(req, trustProxy);
if (cookieOptions.secure === 'auto') {
req.session.cookie.secure = isSecure;
}
if (cookieOptions.sameSite === 'auto') {
req.session.cookie.sameSite = isSecure ? 'none' : 'lax';
}

Copy link
Author

@djunehor djunehor Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially implemented each check independently without considering that both checks rely on the same issecure() call.

I've updated the code to cache the result in a const isSecure variable and reuse it for both the secure and sameSite auto configurations. This avoids the redundant function call you pointed out.

Thanks for the review!

@djunehor djunehor force-pushed the feat/samesite-auto-support branch from f745109 to 6df617c Compare December 24, 2025 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjohansebas bjohansebas bjohansebas approved these changes

@UlisesGascon UlisesGascon Awaiting requested review from UlisesGascon

+1 more reviewer

@rmcsharry rmcsharry rmcsharry left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@bjohansebas bjohansebas

Labels

semver-minor v1

Projects

None yet

Milestone

1.19.0

Development

Successfully merging this pull request may close these issues.

Support sameSite 'auto' the same as for secureCookie

3 participants

@djunehor @rmcsharry @bjohansebas