Issues caused by the session configuration secret defaulting to inProduction

[tmkook]

When the session.store=cookie setting is set to true in a production deployment, session read issues can occur.
This issue can cause CSRF verification to fail and can be difficult to debug. While everything works fine in a local test environment, deploying to a production environment will result in an error.

This issue plagued me for nearly two hours during my first deployment.

Perhaps change this setting to false or add more emphasis to this option in the documentation?

[RomainLanz]

Hey @tmkook! 👋🏻

Are you talking about the secure flag?

Maybe this is something we can add to our Deployment Guide.

I don't want to change the value to false since it will be less secure and it is expected to have https in production.

[tmkook]

Yes, in config/session.ts

store: cookie
cookie: {
secure: app.inProduction
}

secure: app.inProduction This configuration will cause environment differences and will be difficult to debug under http access, and usually our initial environment is http access

Emphasizing this configuration in the deployment guide is helpful for more beginners