I am using express-session for authentication in my Express application. Here is the code I have so far:
app.use( session({ store: new RedisStore({ client: redis }), secret: process.env.SESSION_SECRET, resave: true, saveUninitialized: true, cookie: { secure: true, httpOnly: true, maxAge: 1000 * 60 * 60 * 24 * 30, // 30 days }, }));I have noticed that when I set the secure parameter to true, I am unable to access req.session values after setting them. This even occurs when I am have deployed my site to an https url. However, when I set secure to false, the req.session object contains the fields I expect.
Why does this happen? I understand that secure should be false when using http/testing with localhost, but I thought we should set secure to true in production/HTTPS settings.
Thanks.