Backend server no longer using cookies...?

Hi it seems now requests to backend server use Authorization header. Didn’t it use cookies before…?

This has caused a problem.

We assumed the cookies are set then we make our own routes like

GET /dashboard/support

and it uses Liana.ensureAuthenticated

But now it is failing


Please provide any relevant information about your setup.

“forest-express-sequelize”: “^6.0.0”,
“lumber-jwt”: “^0.0.1-beta.0”,

Hey @davidchain,

Not sure to follow you here :sweat_smile:.

Server has always used Authorization header.
We did not change anything on our side in the last few day did you make an upgrade of your agent ? If yes there is something that did change on that part.

What is that GET /dashboard/support ? A smart chart ? Could you give a more context please :pray:

this could have been a change months ago and we didn’t notice until now

we have a custom page running on the backend server we wanted to limit users already logged into Forest. I’m pretty sure it used to use cookies and this worked because we used it before

  1. problem was chrome and how cookie set we patched it below,being%20accessed%20in%20the%20browser

  2. cookie is limited to /forest path so we had to move route under /forest

diff --git a/node_modules/forest-express/dist/routes/sessions.js b/node_modules/forest-express/dist/routes/sessions.js
index b306260..4c234dc 100644
--- a/node_modules/forest-express/dist/routes/sessions.js
+++ b/node_modules/forest-express/dist/routes/sessions.js
@@ -85,7 +85,7 @@ module.exports = function Sessions(app, opts) {
               if (responseData.token) {
                 // NOTICE: Set a cookie to ensure secure authentication using export feature.
                 twoWeeksInMilliseconds = 14 * 24 * 60 * 60;
-                response.header('Set-Cookie', "forest_session_token=".concat(responseData.token, "; Max-Age=").concat(twoWeeksInMilliseconds));
+                response.header('Set-Cookie', `forest_session_token=${responseData.token}; Max-Age=${twoWeeksInMilliseconds}; SameSite=None; Secure`);

Hi @davidchain,

Please consider the fix of enlarging the cookies scope as temporary, not reliable.
It’s a security lack, and you will need to support it by yourself, something we can do for you.

If it’s possible, can you please express what is the business case you considered better to solve with custom pages instead of using the Forest features? It can also help us improve the product.


The problem is you don’t support custom pages in the admin

We want to use your auth to render custom HTML to logged in users in Forest

Ok, I understood that.

Is it possible for you to give more details about the feature it will provide?
This would allow us to suggest maybe better alternatives.

Is very simple we want ability to render custom page returned by server in the admin

Oh yes I understand that, thank you.
This is a technical description, right?

If you agree to share the information with us, can you explain the business need this?
What is the business purpose of these custom pages? What is the functionnal service covered by these custom pages?

I insist because, Forest UI can address almost everything. I think at 99% that I will be able to provide you a way of doing the same feature in an integrated way, so you won’t have to care about security, updates and so on.
And more: you will benefit from features that are supported and used (tested) by a whole community.

1 Like

we need to render a custom table involving queries from multiple database


I think it has value for you to have only one UI for all your operations, isn’t it?

Please have a look at the multi-db feature (to embed tables from multiple db in one project and more): SQL and for no-SQL

Also, please consider the smart field feature that allow to add a custom field(s) to a collection: smart fields

If you do not find what is very useful to you there, please give us the detailed case you need, and we will try to help you.


no this doesn’t work we just need to show html in the admin panel

Do you mean a read-only web page, without javascript?
Is it for some kind of stat display on TV?