I made an article about how express sessions will make a new cookie & save it to the database when the secure property is set to true on an insecure connection. The connection has to be https for the cookie to be sent. In that article, I said the answer was to set secure to false, but that's only when your testing the session.

When I went to a secure connection, I started getting the same issue. I found out that if you have a proxy server(ex. nginx) on your backend, you have to tell the express app that you are using a proxy. This can be done by setting the proxy property to true.

When the proxy property is set to true. The x-headers will come into play. These headers are set when a proxy is being used. The x-forwarded header tells you the ip address of the client(browser) that is making the request. This header can sometimes be false when the proxy is not configured correctly.

The x-forwarded-host header tells you the name of the host the client is trying to connect to. Since there is a proxy in between the host name may be different from the server handling the request. Finally, you have the x-forwarded-proto header, this tells you the protocol(ex. https or http) used when the client connects to the proxy server.