Medusa v1.x | Express-Session Cookie Configuration #9175
C0llect0r
started this conversation in
Feature Requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dear Medusa JS Team,
i'm currently using medusa for a bigger project with different environments e.g. dev, staging, production with session cookie authentication. Unfortunately the session cookie settings are not configurable which i would like to change. For v1.x these are defined here:
medusa/packages/medusa/src/loaders/express.ts
Line 21 in d09630c
In my current development team not all developers can run the backend locally and use the hosted backends for testing the frontend. When using the development environment the SameSite Attribute is unset and will lead to the default behavior of the browser e.g. under Google Chrome the Cookie is set to Lax and denies to send the cookie for cross origin requests.
While this issue can be mitigated by just setting the environment to staging or production in the cloud or by using a different browser like firefox, it is not a nice solution.
Furthermore it confuses me that the default behavior for those environments is:
SameSite: "None"
, because in a production environment you would likely host your backend and frontend on the same domain meaning the cookie is safe to use and you have higher protection against cross-site-request-forgery.Can you make that configurable through the
session_options
of theprojectConfig
defined in themedusa-config.js
file inside of the backend? Like for both theSameSite
andSecure
Attributes.I can also create a PR for that if you want.
Beta Was this translation helpful? Give feedback.
All reactions