Home/ Questions/Q 9201729
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T23:05:14+00:00

we have a node.js/express application sitting behind stunnel for ssl termination. I cannot figure

  • 0

we have a node.js/express application sitting behind stunnel for ssl termination. I cannot figure out how to force secure session cookies. looking at the session middleware source:

    // only send secure session cookies when there is a secure connection.
    // proxySecure is a custom attribute to allow for a reverse proxy
    // to handle SSL connections and to communicate to connect over HTTP that
    // the incoming connection is secure.
    var secured = cookie.secure && (req.connection.encrypted || req.connection.proxySecure);
    if (secured || !cookie.secure) {
      res.setHeader('Set-Cookie', cookie.serialize(key, req.sessionID));
    }

I apparently have to set req.connection.proxySecure to true, but I don’t know how to do that. It appears stunnel is supposed to communicate this “over HTTP”, but stunnel can’t set headers. So I am at a loss. Should I instead try to set it locally by a custom bit of middleware before the session middleware, or in a connect config variable somewhere?

Thanks for any help

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ensure the proxy is setting the X-Forwarded-Proto: https header. You must then to add the proxy:true config param to the session middleware.

    • 0