Clicking a Google query link logs user out of session

Question

I have a curious situation with my NodeJS server: it seems like searching for the website on Google signs out the user.

The homepage is https://emocoes.org/pt/inicio. I sign in to the website and the homepage shows the version for users, such as a "Content list" button.

I open a new tab, search for the website on Google and click the link. Now the homepage no longer shows the version for users. It's as if I had signed out. When I refresh the first tab with the member version of the homepage, it also shows the public version. I checked that the cookie for session in the session store still exists.

The URL from the Google query is:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjC2J3D65H4AhX5Q_EDHRpnCvoQFnoECAYQAQ&url=https%3A%2F%2Femocoes.org%2Fpt%2Finicio&usg=AOvVaw15-Ef1H79pA6DxaHMLJfgC

I do not see any issue in this link.

I added this tracing to the server's route for the homepage:

router.get("/pt/inicio", async (req, res) => {
  console.log("URL = %o", req.originalUrl);
  console.log("query = %o", req.query);
  console.log("User = %o", req.user);
  // The result after the Google URL is:
  //[2022-06-03T17:40:21.308Z] URL = '/pt/inicio'
  //[2022-06-03T17:40:21.308Z] query = {}
  //[2022-06-03T17:40:21.309Z] User = undefined
  ...
});

Since the session exists in the MongoDB store, it's as if clicking the Google link deletes the cookie in the browser. I use Safari on macOS and the same thing happens to users on Windows and Google Chrome.

How can I debug this issue?

P.S.: If you want to try it yourself, create a temporary email address at dispostable.com and use it to create an account at https://emocoes.org/en/entrar .

Update

The NodeJS server code setting the cookie is:

const express = require('express');
const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);

const max_session_ms = 365 * 24 * 60 * 60 * 1000;

app.use(
  session({
    cookie: {
      maxAge: max_session_ms,
      sameSite: "strict",
    },
    store: store,
    secret: ...,
    signed: true,
    resave: false,  // Unknown effect. See https://github.com/expressjs/session#resave
    saveUninitialized: false,  // Save only explicitly, e.g. when logging in.
    httpOnly: true,  // Don't let browser javascript access cookies.
    secure: true
  })
);

Answer 1

The reason for this problem seems to be that your site sets the session cookie with SameSite=Strict.

The cookie SameSite attribute is a security feature which you may need if your site has tight security requirements. You should probably not bother with it, and leave it unset, if it doesn't. When SameSite is Strict and you click a link on another site that leads to your site, the browser will not send the cookie. When Lax, it will send the cookie when clicking on a link, but it will not send it when another site embeds images from your site, for example. More information is available in the relevant MDN page and in the draft standard for cookies (scattered over several sections, such as 5.2, 5.4.7, and 8.8).

If you use Strict, you must be prepared for strange things to happen. While it looks strange that following a link on one tab affects the reloading on another tab, this has to do with whether reloading is considered to be "same site". Section 8.8.5 of the draft standard defines the rules for that, which are complicated and their implementation could differ between browsers.

When I use Internet banking, I am logged out whenever I do anything slightly out of the ordinary. As far as I can see my banks don't use SameSite=Strict, but the example shows that sites with high security are very picky.