Skip to content

【Feature】I wish I could define the name by req #920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
code-farmer-i opened this issue Nov 15, 2022 · 5 comments
Open

【Feature】I wish I could define the name by req #920

code-farmer-i opened this issue Nov 15, 2022 · 5 comments
Labels
awaiting more info

Comments

@code-farmer-i
Copy link

now

session({ name: 'a string' })

expect

session({ name(req) { return 'a string' } })
@dougwilson
Copy link
Contributor

Hello, and thank you for your suggestion. The goal of the configuration for this middleware is to be as static as possible. Can you elaborate on the specific use-case you are trying to accomplish that would make use of this?

@wodCZ
Copy link

wodCZ commented Oct 16, 2023

@dougwilson hi, I have a use-case for dynamic configuration.

We have a back-end staging environment running, currently serving as both a staging endpoint for staging instance of the webapp, which fits sameSite: 'strict', secure: true cookie setup just fine.
But, we'd like the staging instance to also accept requests from front-end developers localhost, so they can use it for development.

I'd like to configure that if the request origin is localhost, then use sameSite: 'none', strict: true for the request.

Is there a workaround for such use-case? I'm not sure about what are the consequences for the staging environment if I set sameSite: 'none', secure: true cookie settings statically for all requests.

Thanks!

@thom-nic
Copy link

I'm looking for something similar; I have a device with embedded webserver and by default is available over http and https. If the user accesses over https, we could use secure however switching back to http will always fail until they clear their browser cookies.

One solution would be if I could have a different cookie name when the request is https, and also dynamically set secure: true under the same condition. So not only would name need to be dynamic but potentially other options as well.

I'm wondering if I could wrap the session instance - actually two session instances - in my own middleware function that chooses one or the other based on req.secure...

@raphendyr
Copy link

Bit old issue, but few ideas for both.

For @wodCZ's case. One idea is to se sameSite: 'none' always for this environment as there shouldn't be security issues. Alternatively, make a router middleware, which selects which of two instances of express-session to use based on the request. Sadly, I think there are some complications to use multiple express-sessions. I those get fixed in future.

For @thom-nic's case. I would consider creating two express servers, one for each port (http and another for https). This way you can fully manage what middlewares are in each server. If you want to expose all the same routes via both servers, then it should be easy with a single router instance. Al though, this setup also would allow you to tailor which routes are bound to which server.

@thom-nic
Copy link

I created a wrapper middleware that chooses the correct cookie name based on context and effectively has two separate session instances underneath.

@raphendyr raphendyr mentioned this issue Mar 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dougwilson @thom-nic @wodCZ @raphendyr @code-farmer-i