Sails: Getting error `option sameSite is invalid` while setting `sameSite:none` in cookie options.

@kriss1897 Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. _(Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)_
• tell us why this issue is important to you and your team. What are you trying to accomplish? _(Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)_
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. _(Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)_
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. _(Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)_
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. _(Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)_
  

  ---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

Hi, @kriss1897—

Thanks so much for looking into this for us! We'd be happy to check out a PR addressing this issue. If you could link to that PR in a comment to this issue, that would be fabulous. Thanks, again!

@madisonhicks I found one existing PR which should fix this issue.
https://github.com/balderdashy/sails/pull/6870

@kriss1897 Thanks for relaying the PR! For safety, we actually can't merge it since it points directly to the Express repo:
"express-session": "git+https://github.com/expressjs/session.git".
Fortunately, I do see a newer express-session v1.17.0 is out and the original creator of the PR was waiting for at-least v1.16.3 👍

@johnabrams7 The issue you mentioned above has been fixed in the PR, is it possible for it to get merged?

And for anyone looking for one, here's a workaround: https://github.com/balderdashy/sails/issues/6942#issuecomment-602766432

@kriss1897 @nino-vrijman @madisonhicks @johnabrams7 just got that PR merged in– if you install the latest Sails (1.4.0) should be fixed now

@kriss1897 @nino-vrijman @madisonhicks @johnabrams7 just got that PR merged in– if you install the latest Sails (1.4.0) should be fixed now

Hi @rachaelshaw ,

I have updated Sails.js to 1.4.0 by running npm update sails. I can see that it was updated in my package.json:

"dependencies": {
    "@sentry/node": "^5.25.0",
    "async": "2.0.1",
    "aws-sdk": "^2.771.0",
    "bcrypt": "^3.0.8",
    "cheerio": "^1.0.0-rc.3",
    "connect-mongo": "2.0.3",
    "faker": "^4.1.0",
    "json2csv": "^4.5.4",
    "lodash": "^4.17.20",
    "moment": "^2.29.1",
    "nested-pop": "^0.1.4",
    "path": "^0.12.7",
    "sails": "^1.4.0",
    "sails-hook-jobs": "^0.1.6",
    "sails-hook-organics": "^0.15.2",
    "sails-hook-orm": "^2.1.1",
    "sails-hook-sockets": "^1.5.5",
    "sails-mongo": "^1.2.0",
    "sharp": "^0.25.4",
    "skipper": "^0.8.7",
    "url": "^0.11.0",
    "util": "^0.11.1"
  }

Following is my cookie configuration which I am sure is applied for the specific environment:

However, when I log in via Postman I still get sameSite: strict.

I am setting the cookie by this.req.session.userId = user.id; in a corresponding action. Perhaps the sameSite configuration does not get applied for the sails.sid cookie?

Do you have any idea what am I doing wrong?

Thank you.

Hi @davidkregl, It looks like the problem you are running into is because the secure attribute is set to false. sameSite: 'none' requires secure: true to work properly.

Thanks @davidkregl! I've tested this, it is working fine. Closing this ticket now.