Skip to content

Add sameSite 'auto' support to match secure 'auto' pattern #1087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bjohansebas merged 6 commits into from
Jan 17, 2026
Merged

Add sameSite 'auto' support to match secure 'auto' pattern #1087

bjohansebas merged 6 commits into from
Jan 17, 2026
+188 −2

Conversation

@djunehor
Copy link
Contributor

@djunehor djunehor commented Nov 10, 2025

This PR adds support for sameSite: 'auto' option that automatically sets the SameSite cookie attribute based on connection security, similar to the existing secure: 'auto' feature.

When the connection is secure (HTTPS), SameSite is set to 'None' to enable cross-site usage, and when insecure (HTTP), it's set to 'Lax' for better security. This solves real-world scenarios like SAML authentication where the connection security isn't known at configuration time.

The implementation follows the same pattern as secure: 'auto', uses the existing issecure() function, and includes comprehensive test coverage with no breaking changes.

Fixes #1081

bjohansebas
bjohansebas approved these changes Dec 18, 2025
View reviewed changes
Copy link
Member

@bjohansebas bjohansebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Overall, adding that option looks good to me, I think this would be good to have for v1.

By the way, I added more tests to better verify its behavior with different configurations

test/session.js
Comment on lines +961 to +967
it('should not set cookie when insecure', function (done) {
request(this.server)
.get('/')
.set('X-Secure', 'false')
.expect(shouldNotHaveHeader('Set-Cookie'))
.expect(200, 'false', done)
})
Copy link
Member

@bjohansebas bjohansebas Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behavior here is interesting and cannot be changed since it would be a breaking change. However, because secure is set to true in the configuration, during cookie creation, which happens on this line

session/index.js

Line 161 in 2cd6561

req.session.cookie = new Cookie(cookieOptions);
takes the value from the configuration rather than from the route. As a result, the cookie ends up being a secure cookie. Since it is a secure cookie, it will not be created when the request is insecure (HTTP)

session/index.js

Line 235 in 2cd6561

if (req.session.cookie.secure && !issecure(req, trustProxy)) {
.

@bjohansebas bjohansebas self-assigned this Dec 18, 2025
@bjohansebas bjohansebas added this to the 1.19.0 milestone Dec 18, 2025
rmcsharry
rmcsharry reviewed Dec 22, 2025
View reviewed changes
@djunehor djunehor force-pushed the feat/samesite-auto-support branch from f745109 to 6df617c Compare December 24, 2025 00:45
bjohansebas
bjohansebas reviewed Jan 17, 2026
View reviewed changes
@bjohansebas bjohansebas merged commit 73e0193 into expressjs:master Jan 17, 2026
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjohansebas bjohansebas bjohansebas approved these changes

@UlisesGascon UlisesGascon Awaiting requested review from UlisesGascon

+1 more reviewer

@rmcsharry rmcsharry rmcsharry left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@bjohansebas bjohansebas

Labels

semver-minor v1

Projects

None yet

Milestone

1.19.0

Development

Successfully merging this pull request may close these issues.

Support sameSite 'auto' the same as for secureCookie

3 participants

@djunehor @rmcsharry @bjohansebas