Add HttpOnly, Secure, SameSite, and maxAge flags to session cookie

express-session was configured with no cookie options, leaving the
connect.sid session identifier readable via document.cookie (no
HttpOnly), transmittable over HTTP (no Secure), and attachable by
any cross-site request (no SameSite).

Add cookie flags with environment-aware values: Secure and
SameSite=Strict are active only when NODE_ENV=production so that
local development over plain HTTP continues to work without disabling
cookie behaviour. SameSite=lax in development still blocks third-party
POST CSRF while allowing top-level navigation redirects.

Set maxAge to 24 hours to bound the lifetime of an exposed session ID.

Add ENV NODE_ENV=production to Dockerfile.prod so the production
cookie policy activates automatically in containerised deploys.

Document NODE_ENV in .env.sample so local developers set it explicitly.

Closes #373

Author: advikdivekar

backend/.env.sample

@@ -1,3 +1,4 @@
 PORT=5000
 MONGO_URI=mongodb://localhost:27017/githubTracker
 SESSION_SECRET=your-secret-key
+NODE_ENV=development

backend/Dockerfile.prod

@@ -13,6 +13,9 @@ RUN npm install --production
 # Copy the rest of the application files
 COPY . .
 
+# Set production environment so session cookies get Secure + SameSite=Strict
+ENV NODE_ENV=production
+
 # Expose the port for the application
 EXPOSE 5000
 

backend/server.js

@@ -20,6 +20,12 @@ app.use(session({
     secret: process.env.SESSION_SECRET,
     resave: false,
     saveUninitialized: false,
+    cookie: {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+        maxAge: 24 * 60 * 60 * 1000,
+    },
 }));
 app.use(passport.initialize());
 app.use(passport.session());