Follow-up from Express session loses passport user ID on a Safari cookie every week . In Express and NodeJS, I want to set a cookie's domain so user agents see it as a first-party cookie. If I set it per the documentation:
const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);
const express = require('express');
const app = express();
const max_session_ms = 365 * 24 * 60 * 60 * 1000;
app.use(
session({
cookie: {
// Specifies how long the user's browser should keep their cookie, probably should match session expiration.
maxAge: max_session_ms,
sameSite: "lax",
domain: "localhost:8080",
},
store: store,
secret: some_secret,
signed: true,
resave: false, // Unknown effect. See https://github.com/expressjs/session#resave
saveUninitialized: false, // Save only explicitly, e.g. when logging in.
httpOnly: true, // Don't let browser javascript access cookies.
secure: false, // Only use cookies over https in production.
})
);
then the domain is set in MongoDB:
> db.sessions.find().pretty()
[
{
_id: 'g6u-kuqpZDd28IyKkP4-dAfg8u7Mw_Tp',
expires: ISODate('2026-02-25T09:09:34.210Z'),
session: {
cookie: {
originalMaxAge: 31536000000,
partitioned: null,
priority: null,
expires: ISODate('2026-02-25T09:09:34.210Z'),
secure: null,
httpOnly: true,
domain: 'localhost:8080',
path: '/',
sameSite: 'lax'
},
flash: {}
}
}
]
but I get an error, coming from the modules and outside my own code, that prevents serving assets:
[2025-02-25T09:01:28.226Z] TypeError: option domain is invalid
at Object.serialize (~/server/node_modules/cookie/index.js:217:13)
at setcookie (~/server/node_modules/express-session/index.js:665:21)
at ServerResponse.<anonymous> (~/server/node_modules/express-session/index.js:248:9)
at ServerResponse.writeHead (~/server/node_modules/on-headers/index.js:35:16)
at ServerResponse.writeHead (~/server/node_modules/on-headers/index.js:44:26)
at ServerResponse._implicitHeader (node:_http_server:338:8)
at writetop (~/server/node_modules/express-session/index.js:284:15)
at ServerResponse.end (~/server/node_modules/express-session/index.js:351:16)
at ServerResponse.send (~/server/node_modules/express/lib/response.js:232:10)
at done (~/server/node_modules/express/lib/response.js:1045:10)
If I set the domain outside the cookie, i.e.:
app.use(
session({
cookie: {
// Specifies how long the user's browser should keep their cookie, probably should match session expiration.
maxAge: max_session_ms,
sameSite: "lax",
},
domain: "localhost:8080",
store: store,
secret: some_secret,
signed: true,
resave: false, // Unknown effect. See https://github.com/expressjs/session#resave
saveUninitialized: false, // Save only explicitly, e.g. when logging in.
httpOnly: true, // Don't let browser javascript access cookies.
secure: false, // Only use cookies over https in production.
})
);
then I don't get the error, but the MongoDB database does not store the domain of the cookie:
> db.sessions.find().pretty()
[
{
_id: 'ibvlIGHwATOV1siRT4NB-a2AhzhyZL68',
expires: ISODate('2026-02-25T09:07:13.289Z'),
session: {
cookie: {
originalMaxAge: 31536000000,
partitioned: null,
priority: null,
expires: ISODate('2026-02-25T09:07:13.289Z'),
secure: null,
httpOnly: true,
domain: null,
path: '/',
sameSite: 'lax'
},
flash: {}
}
}
]
How can I set a cookie's domain in NodeJS and Express? Or how can I debug the error coming from outside my own code?
8080is probably the problem see : stackoverflow.com/q/1612177/21972629. You might want to remove that.