-
-
Notifications
You must be signed in to change notification settings - Fork 17.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create Partitioned cookie #5275
Comments
I am facing the same issue. Looking at the code, the project is using jshttp/cookie package to serialize the cookie to a string, and this downstream package does not support the partitioned flag. https://github.com/jshttp/cookie/blob/master/index.js#L111 There is a PR already to adopt this flag, let's hope for a quick turnaround jshttp/cookie#151 And another PR, with a more active maintainer jshttp/cookie#153. |
@dougwilson now that the partitioned property was adopted by jshttp/cookie, can it be updated here as well? |
Also interested in this. There is a time crunch as Google Chrome will begin blocking 1% of 3rd party cookies without this attribute in Q1 2024 |
Hello, our dependency recently added this, so it will get pulled in here in the next version. Apologies as it is currently a holiday time where I am, but will get a release spun up to include this asap. |
@dougwilson do you have any timeline for this upcoming release? |
I am working on it right now, so it should be out within a few days at most 👍 |
Do you have a problem? |
I'm sorry, I had to travel due to a death in the family and I keep getting bogus security vulnerability reports I have to keep triaging. I just got yet another one 30 mins ago. I am working as hard as possible. If I do not assess these and debate with the reporters or fix, they will file a CVE with no fix version and then chaos will ensue from everyone getting security reports, creating a bigger mess. I am working on express stuff right now even. |
@dougwilson sorry to hear about the difficulties you're going through. I would volunteer to boost the |
In my case, module "express" is working. import { CookieOptions } from 'express'
declare module "express" {
export interface CookieOptions {
partitioned?: boolean;
}
}
// something todo ... It's working for me. I added secure: true, sameSite: 'none', partitioned: true. const cookieOption = {
httpOnly: true,
secure: true,
sameSite: 'none',
partitioned: true,
}
res.cookie(key, value, cookieOption) |
Not working for me. I've set "overrides": {
"cookie": "0.6.0"
}, in package.json, and checked that the deployed production cookie version is 0.6.0 in node modules. I'm using cookie-parser and express const sessionConfig = {
secret: process.env.COOKIE_SECRET, // Secret utilisé par passport
resave: false,
saveUninitialized: false,
cookie: {
maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days : 7 * 24 * 60 * 60 * 1000
resave: false,
httpOnly: false,
secure: PRODUCTION ? true : false,
sameSite: PRODUCTION ? 'none' : '',
partitioned: true
},
};
app.set('trust proxy', 1); // Don't forward proxy but client's ip
app.use(session({
store: new pgSession({ pool: partnersDB.pool, }), // Une session DB à part sur le même pool
...sessionConfig,
})); but the cookies are still not partitioned. Is this due to cookie-parser or something else? |
@PascalPlantey If you're using the https://github.com/expressjs/session package, they seem to be passing the cookie options manually (see https://github.com/expressjs/session/blob/master/session/cookie.js#L117-L138). So it would need to be fixed there |
We are working the cookie update through the dependencies currently. The cookie-session was updated recently, and express-session is here right behind, and express itself as a wip pr for it so should be out soon too. |
@vojvodics I'm using 'express' 4.15.2 and express-session 1.17.1, and I think the cookie.js in express-session should not hide the partitioned attribute: var Cookie = module.exports = function Cookie(options) {
this.path = '/';
this.maxAge = null;
this.httpOnly = true;
if (options) {
if (typeof options !== 'object') {
throw new TypeError('argument options must be a object')
}
for (var key in options) {
if (key !== 'data') {
this[key] = options[key]
}
}
}
if (this.originalMaxAge === undefined || this.originalMaxAge === null) {
this.originalMaxAge = this.maxAge
}
}; |
@vojvodics you are correct, I found some code below in the source, suppressing the get data() {
return {
originalMaxAge: this.originalMaxAge
, expires: this._expires
, secure: this.secure
, httpOnly: this.httpOnly
, domain: this.domain
, path: this.path
, sameSite: this.sameSite
}
}, |
As an update |
I added some notes on adapting Express.js to HTTP2 or to reevaluate the SPDY breakages.. Add this one to the list It seems more reliable in the interim to suggest to others to write to headers directly.. will update here shortly with pseudocode but this is ChatGPT's version:
or my use case (adapt it to your own):
if you want to set multiple cookies, you use an array of |
Has this issue resolved yet? I'm using Express 4.18.2 and am not using any cookie packages, except cookie-parser, which has nothing to do with sending requests. res.cookie(... , {partitioned: true}) However when I inspect the cookie in the network tab, I see nothing This is really getting to me, cors has gotta be the biggest PITA |
Update: I've found a workaroundInstead of using const cookie = require('cookie')
// ...
res.setHeader(
'Set-Cookie',
cookie.serialize('session_id', String(session_id), {
path: '/',
httpOnly: true,
maxAge: 86400,
secure: true,
sameSite: 'none',
partitioned: true,
})
) I had to use the cookie package, because there's not enough documentation available for |
Hi all, i am just wondering if there is time schedule for release of this in Many thanks |
Partitioned cookies aren't supported by express yet due to a dependency on an older version of the cookie package. See expressjs/express#5275. Adding an override for a higher version of the cookie package which does support partitioned cookies fixes this.
The Partitioned attribute is not set when passing the option to res.cookie().
https://developer.chrome.com/docs/privacy-sandbox/third-party-cookie-phase-out/#partitioned-cookies
The text was updated successfully, but these errors were encountered: