Why doesn't express-session see httpOnly: false in config?

W

WizardW2019-07-02 22:06:24

Sessions

WizardW, 2019-07-02 22:06:24

Why doesn't express-session see httpOnly=false and store the session with httpOnly= true so that any cookie from the browser via js is not retrieved?
Session config:

app.use(
  session({
    secret: process.env.SECRET_KEY,
    resave: false,
    httpOnly: false,
    saveUninitialized: false,
    store: new MongoStore({ url: process.env.DB_CONNECTION })
  })
);

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

�

and so?

app.use(
  session({
    secret: process.env.SECRET_KEY,
    resave: false,
    cookie: { httpOnly: false },
    saveUninitialized: false,
    store: new MongoStore({ url: process.env.DB_CONNECTION })
  })
);