Home/ Questions/Q 8013311
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T19:36:13+00:00

I am serving all static content on my app through a subdomain. However, my

  • 0

I am serving all static content on my app through a subdomain.

However, my express app is still setting session cookies on the static content. I tried setting the path like this as per the docs:

app.use(express.session({
    secret: 'your app secret',
    cookie: {
        domain : '.yourdomain.com'
    },
    store: new MongoStore({
        db: 'db',
        host: 'localhost',
        port:config.dbPort
    })
}));

but it still doesn’t work for me. I also tried using ‘path’ :

cookie: {
   path : '.yourdomain.com'
}

but even that doesn’t prevent setting of cookies on static content.

Any ideas on how to remove cookies from all static content?

UPDATE:

Request Headers
    Accept:text/css,*/*;q=0.1
    Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
    Accept-Encoding:gzip,deflate,sdch
    Accept-Language:en-US,en;q=0.8
    Connection:keep-alive
    Host:cdn.yourdomain.com
    Referer:http://localhost:8888/
    User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5

Response Headers
    Cache-Control:public, max-age=86400
    Connection:keep-alive
    Content-Encoding:gzip
    Content-Type:text/css; charset=UTF-8
    Date:Mon, 28 May 2012 09:02:09 GMT
    Last-Modified:Tue, 01 May 2012 03:57:45 GMT
    Server:nginx
    Set-Cookie:connect.sid=d9nEPGiAeSwGFUN2Ra8CGBmq.tPdTQdk7O2UUvO2q%2BEOG2%2Fgh%2FNEdIxtUZYdUN%2FtDmas; domain=www.yourdomain.com; path=/; expires=Mon, 28 May 2012 13:02:08 GMT; httpOnly
    Transfer-Encoding:chunked
    X-Cache:MISS
    X-Edge-Id:353260802
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The connect session middleware works this way. Cookies are set regardless of the current host. This is good from a performance point of view, but inherently causes issues like this.

    I see two solutions for this issue:

    • Use Connect’s Vhost middleware. IMO, this is the most straightforward solution. Just create a separate app for cdn.yourdomain.com without including the session middleware for it.

    • Create a wrapper around the session middleware in order to include it only for requests with the correct host. This is a pretty odd solution, and can disturb other middleware like CSRF.

    Anyway, I would say that using Node.js for serving static assets may look like a strange idea. For this, web servers like Nginx are unbeatable in terms of performance and lightness. Requests for static requests should ideally not even reach Node.js.

    FYI, code for the second solution could look like that (untested):

    function hostAwareSessionMiddleware(options) {
  var originalMiddleware = express.session(options);
  if(!options.cookie || !options.cookie.domain) return originalMiddleware;
  var domain = options.cookie.domain;
  if(domain[0] === '.') domain = '(.+)\.' + domain.slice(1);
  var regex = new RegExp('^' + domain.replace('.', '\\.') + '$', 'i');
  return function(req, res, next) {
    if(!req.headers.host) return next();
    if(req.headers.host.match(regex)) {
      return originalMiddleware(req, res, next);
    }
    next();
  }
}

app.use(hostAwareSessionMiddleware({
  secret: 'your app secret',
  cookie: {
    domain : 'yourdomain.com'
  },
  store: new MongoStore({
    db: 'db',
    host: 'localhost',
    port:config.dbPort
  }
}));
    • 0