GoSquared is served entirely via HTTPS, so it was a logical and easy decision to modify our user sessions to use secure cookies. A couple of lines of configuration later, and we were good to go.
Not quite.
We use Node.js extensively, and Connect.session, which is used by Express, will refuse to set secure cookies when the connection isn’t encrypted (req.connection.encrypted) unless the option of proxy is set to true and the x-forwarded-proto is https. This is not the case with standard secure cookies, but it’s been coded into Connect probably for security reasons.
Why does this matter? Isn’t everything is served via https anyway?
Of course, but everything is also served via an ELB which proxies to our nginx cluster, which in turn proxies to our apps servers via internal http connections. The fix is trivial as it’s easy to set/modify headers in nginx, making the header validation in Connect quite pointless – proxy_set_header x-forwarded-proto https;.
In completely unrelated news, sessions on GoSquared now use secure + httponly cookies!
PS. remember to add proxy_set_header Host $host; too if you need the host header to be forwarded too, it appears to get lost otherwise.
