From dea96f115355d8e91792c6dba040bfce6aaca317 Mon Sep 17 00:00:00 2001
From: Vexx <advikdivekar@gmail.com>
Date: Fri, 22 May 2026 01:05:35 +0530
Subject: [PATCH] Add HttpOnly, Secure, SameSite, and maxAge flags to session
 cookie

express-session was configured with no cookie options, leaving the
connect.sid session identifier readable via document.cookie (no
HttpOnly), transmittable over HTTP (no Secure), and attachable by
any cross-site request (no SameSite).

Add cookie flags with environment-aware values: Secure and
SameSite=Strict are active only when NODE_ENV=production so that
local development over plain HTTP continues to work without disabling
cookie behaviour. SameSite=lax in development still blocks third-party
POST CSRF while allowing top-level navigation redirects.

Set maxAge to 24 hours to bound the lifetime of an exposed session ID.

Add ENV NODE_ENV=production to Dockerfile.prod so the production
cookie policy activates automatically in containerised deploys.

Document NODE_ENV in .env.sample so local developers set it explicitly.

Closes #373
---
 backend/.env.sample     | 1 +
 backend/Dockerfile.prod | 3 +++
 backend/server.js       | 6 ++++++
 3 files changed, 10 insertions(+)

diff --git a/backend/.env.sample b/backend/.env.sample
index 98f96881..fbdd39d8 100644
--- a/backend/.env.sample
+++ b/backend/.env.sample
@@ -1,3 +1,4 @@
 PORT=5000
 MONGO_URI=mongodb://localhost:27017/githubTracker
 SESSION_SECRET=your-secret-key
+NODE_ENV=development
diff --git a/backend/Dockerfile.prod b/backend/Dockerfile.prod
index 9f35a107..1a229349 100644
--- a/backend/Dockerfile.prod
+++ b/backend/Dockerfile.prod
@@ -13,6 +13,9 @@ RUN npm install --production
 # Copy the rest of the application files
 COPY . .
 
+# Set production environment so session cookies get Secure + SameSite=Strict
+ENV NODE_ENV=production
+
 # Expose the port for the application
 EXPOSE 5000
 
diff --git a/backend/server.js b/backend/server.js
index 3f19f00b..68f4cc3e 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -20,6 +20,12 @@ app.use(session({
     secret: process.env.SESSION_SECRET,
     resave: false,
     saveUninitialized: false,
+    cookie: {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+        maxAge: 24 * 60 * 60 * 1000,
+    },
 }));
 app.use(passport.initialize());
 app.use(passport.session());