From 1f65e8cc3ed7c899abba93d21313446b407b70bb Mon Sep 17 00:00:00 2001 From: sirpiglr <49359077-sirpiglr@users.noreply.replit.com> Date: Sun, 21 Dec 2025 04:22:34 +0000 Subject: [PATCH] Improve login reliability by fixing session cookie configuration Update server session configuration to correctly handle cookies in development environments, specifically addressing issues with Vite's proxy and `sameSite` settings to ensure persistent user sessions. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 279f1558-c0e3-40e4-8217-be7e9f4c6eca Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: 66cabf5a-21e6-4022-a781-b6e3b087a382 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/b984cb14-1d19-4944-922b-bc79e821ed35/279f1558-c0e3-40e4-8217-be7e9f4c6eca/ztDSlS2 Replit-Helium-Checkpoint-Created: true --- server/index.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/server/index.ts b/server/index.ts index 7861295..b64cf52 100644 --- a/server/index.ts +++ b/server/index.ts @@ -7,6 +7,9 @@ import { createServer } from "http"; const app = express(); const httpServer = createServer(app); +// Trust proxy for proper cookie handling behind Vite dev server +app.set("trust proxy", 1); + declare module "http" { interface IncomingMessage { rawBody: unknown; @@ -20,17 +23,19 @@ if (process.env.NODE_ENV === "production" && !sessionSecret) { } // Session configuration with security best practices +const isProduction = process.env.NODE_ENV === "production"; app.use( session({ secret: sessionSecret || "dev-only-secret-not-for-prod", resave: false, saveUninitialized: false, cookie: { - secure: process.env.NODE_ENV === "production", + secure: isProduction, httpOnly: true, - sameSite: "lax", // Allow navigation from external links + sameSite: isProduction ? "lax" : "lax", maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days }, + proxy: !isProduction, // Trust first proxy in dev for Vite }) );