如何在Cookie上指定SameSite和安全(使用axios/React/Node Express)

Question

我有一个聊天应用程序，现在已经工作了一段时间，但突然之间它在客户端给我带来了这个问题：

Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax,
which prevents the cookie from being set in a cross-site context. This behavior protects 
user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts.
Note that only cookies sent over HTTPS may use the Secure attribute.

我在我的React客户端上使用了这样的axios：

axios.defaults.withCredentials = true
axios.post('https://easytalkchatappv2.herokuapp.com/signin', {
      username: username,
      password: password
    }).then(res => {
      console.log(res.data)
})

我使用JWT在我的Nodejs Express服务器中对/signin的post请求中设置cookie：

const user = {id: resp.insertedId}
const accessToken = await jwt.sign(user, process.env.ACCESS_TOKEN_SECRET)

res.cookie('token', accessToken)

我也在使用cookie解析器。如何将这些SameSite和安全属性添加到cookies？

Answer 1

您应该能够将'secure‘和'sameSite’属性传递给res.cookie方法；如下所示，将x替换为您想要使用的值：

res.cookie('token', accessToken, { sameSite: x, secure: x })

正如Express文档中所示：https://expressjs.com/en/api.html#res.cookie