Node.js，Angular，快速 session : Chrome 80 does not save session because of cookie policy (sameSite cookies)

Question

我有一个 Node.js，Angular 应用程序。 (用 TypeScript 编写的 Node.js 服务器)。
Node.js 服务器在 Amazon EC-2 实例上运行，Angular 客户端在另一台服务器上。

对于登录 session ，我使用 express-session。我没有在应用程序中使用 cookie，所以我认为问题在于快速 session cookie。
在 Firefox 上它可以正常工作，但在 Google Chrome (80.0.3987.149) 上它不起作用:Chrome 不保存 session (所以我不能离开登录页面)并警告:

A cookie associated with a cross-site resource at http://addressof.myserverapp.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

在 Node.js 服务器中，我以这种方式设置了 express-sessions:

import cookieParser from 'cookie-parser';
app.use(cookieParser(secret));

app.use(session({
    secret: secret,
    resave: false,
    saveUninitialized: false,
    cookie: {
        httpOnly: false,
        maxAge: null,
        secure: true,
        sameSite: 'none'
    },
    store: sessionStore // MySqlStore - express-mysql-session
}));

我也试图用这个代码片段来解决这个问题(来自 https://github.com/expressjs/session/issues/725#issuecomment-605922223)

Object.defineProperty(session.Cookie.prototype, 'sameSite', {
    // sameSite cannot be set to `None` if cookie is not marked secure
    get() {
        return this._sameSite === 'none' && !this.secure ? 'lax' : this._sameSite;
    },
    set(value) {
        this._sameSite = value;
    }
});

服务器 npm 包:

"cors": "^2.8.5",
"cookie-parser": "^1.4.5",
"express": "^4.17.1",
"express-mysql-session": "^2.1.3",
"express-session": "^1.17.0",

Npm version: 6.13.4
Node version: 12.16.1

我花了几天的时间解决这个问题来弄清楚我做错了什么......

Answer 1

这里的问题是您通过 HTTP 访问网站，但 cookie secure设置为 true ，这意味着它将仅通过 HTTPS 发送。
如果您设置 secure: false在 express-session cookie 选项，它将起作用:

import cookieParser from 'cookie-parser';
app.use(cookieParser(secret));

app.use(session({
    secret: secret,
    resave: false,
    saveUninitialized: false,
    cookie: {
        httpOnly: false,
        maxAge: null,
        // allow the cookie to be sent via HTTP ("true" means "HTTPS only)
        secure: false, 
        sameSite: 'none'
    },
    store: sessionStore
}));