Apply the Cookie prefix : __Host-
it will require to have the secure attribute + sent from a secure origin + does not include a Domain attribute + has the Path attribute set to /. In this way, these cookies can be seen as "domain-locked".
secure : prevent the cookie to be sent on http (only https)
httpOnly: the cookie is not accessible from javascript on the client
sameSite: 'strict',
si on est derrière un proxy qui utilise http pour se conecter a nodejs il faut prevenir express avec trust proxy
exemple qui marche bien :
app.set('trust proxy', 1)
var session = require('express-session');
var sessionParameters = {
secret: config.secret,
resave: false,
saveUninitialized: false,
name: '__Host-session',
cookie: {
maxAge: 30 * 24 * 60 * 60 * 1000,
secure: true,
httpOnly: true,
sameSite: 'strict',
},
};
app.use(session(sessionParameters));