Configuring Secure, HTTP-Only Cookies with SameSite

const express = require('express');
const cookieParser = require('cookie-parser');

const app = express();
app.use(cookieParser());

app.get('/login', (req, res) => {
  // Simulate successful login
  const userId = 'user123';
  const sessionToken = 'aSuperSecretSessionToken12345';

  res.cookie('session', sessionToken, {
    maxAge: 3600000, // Cookie expires in 1 hour
    httpOnly: true,  // Important: Prevents client-side JavaScript access (mitigates XSS)
    secure: true,    // Important: Sends cookie only over HTTPS (prevents sniffing)
    sameSite: 'Lax', // Important: Protects against CSRF attacks. Options: 'Strict', 'Lax', 'None'
                     // 'Lax' sends cookies on top-level navigations and POST requests from other sites.
                     // 'Strict' sends cookies only on same-site requests.
                     // 'None' sends cookies with cross-site requests, but requires 'Secure'.
    path: '/',       // Cookie is valid for all paths
  });

  res.send(`Logged in. Session token set for user: ${userId}`);
});

app.get('/logout', (req, res) => {
  res.clearCookie('session');
  res.send('Logged out.');
});

app.get('/dashboard', (req, res) => {
  const sessionToken = req.cookies.session;
  if (sessionToken) {
    res.send(`Welcome to your secure dashboard! Your session token: ${sessionToken}`);
  } else {
    res.status(401).send('Unauthorized. Please log in.');
  }
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});