Issue with cookies and cors in express session

I am having problems in making to work my server (Web Service) and client (Static Site) in render.

I believe the problem is on cors and cookies settings. this is part of my code in the server:

const app = express();

// CORS configuration
const corsOptions = {
    origin: "https://xxxx.onrender.com", // Allow your client domain
    methods: "GET,HEAD,PUT,PATCH,POST,DELETE", // Allowed methods
    credentials: true, // Allow cookies and credentials to be sent
    optionsSuccessStatus: 204 // For legacy browser support
};
app.use(cors(corsOptions));

// Handle preflight requests for all routes
app.options('*', cors(corsOptions));

// Middleware for parsing body
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

// Session configuration
const isProduction = process.env.NODE_ENV === "production";

app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
        secure: isProduction && app.get('trust proxy') === 1, // Only secure if in production and using HTTPS
        httpOnly: true,
        maxAge: 1000 * 60 * 60 * 24, // 24 hours
        sameSite: isProduction ? "None" : "Lax" // 'None' for cross-origin requests in production, 'Lax' otherwise
    }
}));

// Trust the proxy (required for HTTPS in environments like Render)
if (isProduction) {
    app.set('trust proxy', 1); // Trust the first proxy (e.g., Render's load balancer)
}

// Initialize passport
app.use(passport.initialize());
app.use(passport.session());

initializePassport();

// Routes
//code omited

// Error handling middleware to catch server errors and log them
app.use((err, req, res, next) => {
    console.error(err.stack); // Log the error for debugging
    res.status(500).send('Something broke!'); // Send a generic error message
});

// Start server
const PORT = process.env.PORT || 5000;
app.listen(PORT, () => {
    console.log(`Hi there: Server running on port ${PORT}`);
    console.log(`production state ${isProduction}`);
    console.log(`app.get('trust proxy') ${app.get('trust proxy') === 1}`);
}).setTimeout(5000); // Set timeout to 5 seconds (can be increased if needed)

When testing this server on postman it works just fine. on firefox I get this warning:
Cookie “connect.sid” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.
on chrome: Failed to load resource: the server responded with a status of 404.

In the client side I am using correctly the credentials: “include” in all fetch calls.
The app works fine in localhost using cookie: { secure: false }
any suggestions??

Hi there,

Does your static site use client-side routing? If so, you may need to add a rewrite rule to direct everything through the index.html: https://docs.render.com/deploy-create-react-app#using-client-side-routing. This could help with the 404 response.

Regards,
Keith
Render Support, UTC+10 :australia:

Thanks for reaching out. Indeed my app uses react routing. I tried the Rewrite Rule you suggested, but it did not work. I have tested this same app in another host provider and there is no problem. I wonder what am I doing wrong.

Hi there,

Please open a ticket directly with us using the Contact Support link in our dashboard.

Regards,
Keith
Render Support, UTC+10 :australia:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.