What is the secure option in Node.js Connect session() params

Question

I'm working through the following Connect example:

var connect = require ('connect');
var timeout = 30000; // session timeout: 30 seconds
var sessionOpts = {
    secret: 'keyboard cat',
    key: 'myapp_sid',
    cookie: { maxAge: timeout, secure: true} /*Example doesn't work with secure?*/
};

var app = connect ()
    .use (connect.favicon())
    .use (connect.cookieParser ('keyboard cat'))
    .use (connect.session(sessionOpts))
    .use (function (req, res, next) {
        var sess = req.session;
        if (sess.views) {
            res.setHeader ('Content-Type', 'text/html');
            res.write ('<p>views: ' + sess.views + '</p>');
            res.end();
            sess.views++;
        } else {
            sess.views = 1;
            res.end ('welcome to the session demo. refresh!');
        }
    })
    .listen (3000);

When I go to the site, if the cookie option does not include secure: true then the number of views is incremented and reset after 30 seconds. When I include the secure option the session no longer stays around for 30 seconds, it resets every refresh.

What is the secure option for and how can I use it with Connect's session middleware?

Answer 1

The secure parameter sets the secure flag for HTTP cookies:

The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.

In your case, the secure cookie is likely not being sent at all, because you are not serving your page over HTTPS.