I set cookies in NodeJS with the following code:

const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);

const max_session_ms = 365 * 24 * 60 * 60 * 1000;

// Initialize mongodb session storage to remember users.
const store = new MongoDBStore({
  uri: MONGO_URI,
  expires: max_session_ms,
});


// Enable sessions using encrypted cookies
app.use(
  session({
    cookie: {
      maxAge: max_session_ms,
      sameSite: "lax",
    },
    store: store,
    secret: "some secret",
    signed: true,
    resave: true,  // Resave when user visits again and extend expiration date.
    saveUninitialized: false,  // Save only explicitly, e.g. when logging in.
    httpOnly: true,  // Don't let browser javascript access cookies.
    secure: true, // Use cookies over https.
  })
);

When I look at the cookie on Safari, connecting to the production server on the web domain with an SSL certificate via HTTPS, HttpOnly is checked but Secure is not checked:

The Set-Cookie header that a browser receives (using Firefox set to refuse all cookies) looks like this:

Set-Cookie: connect.sid=s%3Ap06....DBs...; Path=/; Expires=Wed, 18 Mar 2026 10:33:14 GMT; HttpOnly; SameSite=Lax

Furthermore, MongoDB is saving cookies for every visit, e.g. bots, when saveUninitialized: false should save them only for authenticated users. MongoDB now has 1.5 million sessions without a user for only 1 thousand sessions with a user.

Am I using the cookie settings correctly? If so, how should I debug this issue?

update

I tried with CURL, curl -v , and I don't see a Set-Header cookie in the response because it redirects to another page. If I use cURL with the destination URL, i.e. curl -v , then I see a cookie header:

< content-type: text/html; charset=utf-8
< x-powered-by: Express
< set-cookie: connect.sid=s%3AEmB...Dk5.pLlK...Cs4; Path=/; Expires=Tue, 24 Mar 2026 19:41:28 GMT; HttpOnly; SameSite=Lax
< cf-cache-status: DYNAMIC

I set cookies in NodeJS with the following code:

const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);

const max_session_ms = 365 * 24 * 60 * 60 * 1000;

// Initialize mongodb session storage to remember users.
const store = new MongoDBStore({
  uri: MONGO_URI,
  expires: max_session_ms,
});


// Enable sessions using encrypted cookies
app.use(
  session({
    cookie: {
      maxAge: max_session_ms,
      sameSite: "lax",
    },
    store: store,
    secret: "some secret",
    signed: true,
    resave: true,  // Resave when user visits again and extend expiration date.
    saveUninitialized: false,  // Save only explicitly, e.g. when logging in.
    httpOnly: true,  // Don't let browser javascript access cookies.
    secure: true, // Use cookies over https.
  })
);

When I look at the cookie on Safari, connecting to the production server on the web domain with an SSL certificate via HTTPS, HttpOnly is checked but Secure is not checked:

The Set-Cookie header that a browser receives (using Firefox set to refuse all cookies) looks like this:

Set-Cookie: connect.sid=s%3Ap06....DBs...; Path=/; Expires=Wed, 18 Mar 2026 10:33:14 GMT; HttpOnly; SameSite=Lax

Furthermore, MongoDB is saving cookies for every visit, e.g. bots, when saveUninitialized: false should save them only for authenticated users. MongoDB now has 1.5 million sessions without a user for only 1 thousand sessions with a user.

Am I using the cookie settings correctly? If so, how should I debug this issue?

update

I tried with CURL, curl -v https://ginja., and I don't see a Set-Header cookie in the response because it redirects to another page. If I use cURL with the destination URL, i.e. curl -v https://ginja./pt/inicio, then I see a cookie header:

< content-type: text/html; charset=utf-8
< x-powered-by: Express
< set-cookie: connect.sid=s%3AEmB...Dk5.pLlK...Cs4; Path=/; Expires=Tue, 24 Mar 2026 19:41:28 GMT; HttpOnly; SameSite=Lax
< cf-cache-status: DYNAMIC

• node.js
• mongodb
• express
• cookies
• session-cookies

• 1 Are you actually accessing the whole thing via HTTPS? (If not, secure would only work for localhost.) – C3roe Commented Mar 18 at 8:33
• @C3roe The snapshot comes from the production server with an HTTPS / SSL connection. When the server runs locally on localhost, secure:true fails because I don't have an SSL certificate for localhost. – emonigma Commented Mar 18 at 8:43
• 1 What does the actual Set-Cookie header the client receives, look like? – C3roe Commented Mar 18 at 8:56
• 1 Yes, the settings are correct, and if they are being used, you should see no Set-Cookie header on a request without cookies. The simplest way to test is with curl: curl -v https://the_url and examine headers. For "how to debug" is a very broad question. There is nothing special about session, so do your usual routine. Mine is to test and reproduce in isolation, then add logging, if still not clear - write tests and go with interactive debugging in IDE. – Alex Blex Commented Mar 20 at 9:46
• 1 interesting, I think you are on the right path. Does the curl request still saves the session in the db? If not, try to export the firefox request as curl (it will have much more parameters) and find out which part of it triggers the session persistence by eliminating headers one at a time. – Alex Blex Commented Mar 20 at 11:40

1 Answer 1

I found the issue: elsewhere in the code, I also use flash messages. If I turn them off, then cURL and Firefox don't receive a cookie and a session is not created in MongoDB. If I turn them on, then cURL and Firefox get a cookie and a session is created in MongoDB to store and serve that flash message.

My solution is to keep the cookies and the flash messages, and delete the sessions from MongoDB every day.