I'm using PassportJS with a username/password strategy to authenticate users on my website. I've ensured that users must log-in over HTTPS, and I've ensured that the session cookie is only sent over HTTPS:
app.use(express.session({
// ...
cookie: { secure:true }
}));
But now, if someone logs in (over HTTPS) and then returns to the website over HTTP, it looks like they're not logged in, because their browser doesn't send the cookie.
I'd like to redirect logged-in users to HTTPS.
I figure that I need to issue two cookies: one with the session details (marked secure: true), and one that merely says "you're logged in" (marked secure: false). If I see the second cookie over HTTP, I can redirect to HTTPS, and the secure cookie will be sent. Presto: logged-in user is redirected to HTTPS.
Question: how do I do this in Express?
Add a Strict-Transport-Security header when someone accesses the site over HTTPS. This will cause their browser to automatically rewrite HTTP to HTTPS when next visiting the site.
app.use(function(req, res, next) {
if (req.secure()) {
res.header('Strict-Transport-Security', 'max-age=31536000');
}
next();
});
When the user is logged in successfully, set a cookie:
res.cookie('loggedin', '1', { secure : false /*, other options */ });
Next, use a middleware which checks for that cookie:
app.use(function(req, res, next) {
if (req.cookie.loggedin === '1' && ! req.secure())
{
res.redirect(HTTPS_LOCATION);
}
else
{
next();
}
});
The value of HTTPS_LOCATION depends on your setup, but you can probably build it using req.path.