Actually, it's not possible to set secure cookies over reverse proxy with https.
As mentioned on this issue https://github.com/keystonejs/keystone/issues/1842#issuecomment-548743146, app is not able to set a secure cookie when there is a proxy.
I'm not sure, I think if we enabled proxy: true on this file https://github.com/keystonejs/keystone/blob/master/packages/session/lib/session.js#L54, it should work.
Nothing else at the moment ...
It was tested with Heroku.
The docs mention proxy takes its value from Express's trust proxy setting if the former is undefined. 🤔
Ok so, we need to call app.set('trust proxy', 1), I'm a little bit confused about where should I put this configuration, it seems like express instance is not accessible on my side (app).
You can export a configureExpress function from your entry file. See here.
Oh nice, I'll try it
I just deployed my app with this configuration, I still have the issue ...
module.exports = {
keystone,
apps: [
new GraphQLApp(),
new AdminUIApp({ authStrategy }),
new NextApp({ dir: NEXT_APP_PATH }),
],
configureExpress: app => {
app.set('trust proxy', 1)
},
}
Ok, so you're still getting the signin page loop with secureCookies set to true in the keystone ctor and trust proxy set in Express?
huh by default secureCookies is set to true, but I didn't add it in ctor explicitly.
I just deployed a version with secureCookies, still have the issue;

Right, forgot secureCookies defaults to true in production mode. 🤔 Only thing I can think of is you might need a different value for trust proxy. Else I don't know what could be wrong.
I've started running into this problem over the weekend also for my deployments to now.sh. Interestingly, this has only started happening recently after an upgrade to latest versions of Keystone. Haven't had time to track down what changed yet.
Yep I hit this problem as well 👍
This may be related to #1818, all the app.set values are removed by Keystone middleware somehow.
Secure cookies over reverse proxy with https,i cant into adminui, loop and loop。
if use reverse proxy , must set keystoneconfig: {
secureCookies: false,
},
if use reverse proxy , must set keystoneconfig: {
secureCookies: false,
},
Yes, but it's not a good solution for production environment.
Thanks to @sarunluitel1 who sent us some configs and logs. Here are a couple of tips:
app.set('trust proxy', num_proxies) when running behind one or more proxies. Unfortunately there's a bug stopping this getting propagated to Keystone apps like the Admin UI.X-Forwarded-Proto HTTP header. For example, if you're terminating HTTPS with Nginx, add this alongside your proxy_pass settings:proxy_set_header X-Forwarded-Proto https;
If you want to check if you've got the X-Forwarded-Proto header, try using a logger like this: https://github.com/pinojs/express-pino-logger
This is a complex topic that cuts across Keystone's internals, project code, deployment config and browser behaviour. I've written up what I know here:
Keystone 5: Secure Cookies and Reverse Proxies
Quoting from the TL;DR -- you should ensure that...
X-Forwarded-Proto header to requeststrust proxy is set)@arnaud-zg, I'm going to close this as I believe it's addressed by my notes above. Feel free to reopen if you're still having issues.
Most helpful comment
Yep I hit this problem as well 👍