Home > Mobile >  Avoid storing cookies for visits to public pages
Avoid storing cookies for visits to public pages

Time:12-15

I use NodeJS and express-session to store session information on the database, per cookies stored

I want to store cookies only after creating an account or logging in, where the user consented to cookie policies, and not on public pages to avoid the "cookie consent box" required by GDPR.

How can I store cookies only after a browser logs in?

update

I followed the suggestions in the answer and eliminated two cookies. I stop the server, eliminate localhost's cookies, start the server, make a public page request, and I still have one cookie on public pages. This is the session data on the server's database:

> db.sessions.find().pretty()
{
    "_id" : "DObp-FFNJGLD5c5kLKWfkCaEhfWHtWpo",
    "expires" : ISODate("2022-03-03T19:41:29.807Z"),
    "session" : {
        "cookie" : {
            "originalMaxAge" : 7776000000,
            "expires" : ISODate("2022-03-03T19:41:29.807Z"),
            "secure" : null,
            "httpOnly" : true,
            "domain" : null,
            "path" : "/",
            "sameSite" : null
        },
        "flash" : {
            
        }
    }
}

and the browser shows this cookie:

browser cookie

I get the same results when I remove PassportJS from the app and when I set sameSite to "strict".

second update

As the database session has an empty flash field, I suspected it was due to flash messages. I removed this code:

const flash = require("express-flash");
app.use(flash());

and now the server does not store a cookie for visits to public pages. I use flash messages in notifications for users who login and also for public page visitors, e.g. when a page is no longer available.

So the question becomes: is it possible to use flash messages server-side only, from one handler to another, and not store a cookie?

CodePudding user response:

Going off the documentation, the saveUninitialized flag should be getting set to false -

Forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified. Choosing false is useful for implementing login sessions, reducing server storage usage, or complying with laws that require permission before setting a cookie. Choosing false will also help with race conditions where a client makes multiple parallel requests without a session. The default value is true, but using the default has been deprecated, as the default will change in the future. Please research into this setting and choose what is appropriate to your use-case.

https://github.com/expressjs/session#saveuninitialized

CodePudding user response:

Configure your app.use() for cookie/sessions after creating your static page routes. Express evaluates middleware and routes in the order of their declaration.

Basically do this:

// Create express app

// Declare app.use(express.static) routes

// Declare app.use(cookie) and app.use(session) routes

// Declare routes that need to use cookies/sessions

Because in this case the static content routes are declared before the cookie/session middleware the cookie middleware is not applied to the static routes.

If your route structure is more complex than this, I'd recommend making your session logic a middleware function that you can export from a dedicated file (middlware.js?). You can then require it and add the cookie/session middleware as needed inside specific routers (after declaring any static paths in that router).

  • Related