I have a curious situation with my NodeJS server: it seems like searching for the website on Google signs out the user.
The homepage is https://emocoes.org/pt/inicio
. I sign in to the website and the homepage shows the version for users, such as a "Content list" button.
I open a new tab, search for the website on Google and click the link. Now the homepage no longer shows the version for users. It's as if I had signed out. When I refresh the first tab with the member version of the homepage, it also shows the public version. I checked that the cookie for session in the session store still exists.
The URL from the Google query is:
I do not see any issue in this link.
I added this tracing to the server's route for the homepage:
router.get("/pt/inicio", async (req, res) => {
console.log("URL = %o", req.originalUrl);
console.log("query = %o", req.query);
console.log("User = %o", req.user);
// The result after the Google URL is:
//[2022-06-03T17:40:21.308Z] URL = '/pt/inicio'
//[2022-06-03T17:40:21.308Z] query = {}
//[2022-06-03T17:40:21.309Z] User = undefined
...
});
Since the session exists in the MongoDB store, it's as if clicking the Google link deletes the cookie in the browser. I use Safari on macOS and the same thing happens to users on Windows and Google Chrome.
How can I debug this issue?
P.S.: If you want to try it yourself, create a temporary email address at dispostable.com and use it to create an account at https://emocoes.org/en/entrar .
Update
The NodeJS server code setting the cookie is:
const express = require('express');
const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);
const max_session_ms = 365 * 24 * 60 * 60 * 1000;
app.use(
session({
cookie: {
maxAge: max_session_ms,
sameSite: "strict",
},
store: store,
secret: ...,
signed: true,
resave: false, // Unknown effect. See https://github.com/expressjs/session#resave
saveUninitialized: false, // Save only explicitly, e.g. when logging in.
httpOnly: true, // Don't let browser javascript access cookies.
secure: true
})
);