From 37e5576949e3878943dc5bf41a4019afd4964714 Mon Sep 17 00:00:00 2001 From: Segev Finer Date: Thu, 7 Aug 2025 17:35:20 +0300 Subject: [PATCH 1/2] localhost is also a secure origin by browsers Also partitioned cookies are only allowed with secure, so in `secure: 'auto'` also set partitioned to false --- lib/cookie.js | 3 ++- lib/fastifySession.js | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/cookie.js b/lib/cookie.js index 8a58845..3234305 100644 --- a/lib/cookie.js +++ b/lib/cookie.js @@ -25,10 +25,11 @@ module.exports = class Cookie { } if (this.secure === 'auto') { - if (request.protocol === 'https') { + if (request.protocol === 'https' || request.hostname === 'localhost') { this.secure = true } else { this.sameSite = 'lax' + this.partitioned = false this.secure = false } } diff --git a/lib/fastifySession.js b/lib/fastifySession.js index 56aa6f4..9641179 100644 --- a/lib/fastifySession.js +++ b/lib/fastifySession.js @@ -166,7 +166,7 @@ function fastifySession (fastify, options, next) { const cookieSessionId = getCookieSessionId(request) const saveSession = shouldSaveSession(request, cookieSessionId, saveUninitializedSession, rollingSessions) - const isInsecureConnection = cookieOpts.secure === true && request.protocol !== 'https' + const isInsecureConnection = cookieOpts.secure === true && request.protocol !== 'https' && request.hostname !== 'localhost' const sessionIdWithPrefix = hasCookiePrefix ? `${cookiePrefix}${session.encryptedSessionId}` : session.encryptedSessionId if (!saveSession || isInsecureConnection) { // if a session cookie is set, but has a different ID, clear it From 967dee465ec9e880c5e3b86ffb8f6666a95915ee Mon Sep 17 00:00:00 2001 From: Segev Finer Date: Tue, 2 Dec 2025 11:15:49 +0200 Subject: [PATCH 2/2] Try to fix tests --- test/cookie.test.js | 2 ++ test/session.test.js | 1 + test/util.js | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/test/cookie.test.js b/test/cookie.test.js index f999f94..f4c1707 100644 --- a/test/cookie.test.js +++ b/test/cookie.test.js @@ -318,6 +318,7 @@ test('should set session cookie secureAuto', async (t) => { t.after(() => { fastify.close() }) const response = await fastify.inject({ + authority: 'fastify-session.test', url: '/' }) @@ -345,6 +346,7 @@ test('should set session cookie secureAuto change SameSite', async (t) => { t.after(() => { fastify.close() }) const response = await fastify.inject({ + authority: 'fastify-session.test', url: '/' }) diff --git a/test/session.test.js b/test/session.test.js index ac675ef..cb2ceb0 100644 --- a/test/session.test.js +++ b/test/session.test.js @@ -1231,6 +1231,7 @@ test('Override global options with regenerate', async t => { fastify.register(fastifyCookie) fastify.register(fastifySession, { ...DEFAULT_OPTIONS, + saveUninitialized: true, cookie: { secure: false, maxAge: 42, diff --git a/test/util.js b/test/util.js index b46701d..18c70ce 100644 --- a/test/util.js +++ b/test/util.js @@ -6,7 +6,7 @@ const fastifySession = require('../lib/fastifySession') const TestStore = require('./TestStore') const DEFAULT_SECRET = 'cNaoPYAwF60HZJzkcNaoPYAwF60HZJzk' -const DEFAULT_OPTIONS = { secret: DEFAULT_SECRET } +const DEFAULT_OPTIONS = { secret: DEFAULT_SECRET, saveUninitialized: false } const DEFAULT_SESSION_ID = 'Qk_XT2K7-clT-x1tVvoY6tIQ83iP72KN' const DEFAULT_ENCRYPTED_SESSION_ID = `${DEFAULT_SESSION_ID}.B7fUDYXU9fXF9pNuL3qm4NVmSduLJ6kzCOPh5JhHGoE` const DEFAULT_COOKIE_VALUE = `sessionId=${DEFAULT_ENCRYPTED_SESSION_ID};`