Address browser console warning msg about sameSite cookie setting. Enable sameSite and secure options on main session cookie (and enable 'trust proxy' setting in Express since TLS connection does not reach this app). Disable cookie set by socket.io since there doesn't seem to be any way to enable sameSite and it's not being used by app.

server.js

@@ -18,8 +18,15 @@ var Strategy = require('passport-local').Strategy;
 var db = require('./db');
 var Session = require('express-session');
 var SessionStore = require('session-file-store')(Session);
-var session = Session({ secret: 'here kitty kitty', resave: false, saveUninitialized: false, store: new SessionStore({path: __dirname+'/tmp/sessions'}) });
+var session = Session({
+        secret: 'here kitty kitty',
+        resave: false,
+        saveUninitialized: false,
+        cookie: { sameSite: true, secure: true },
+        store: new SessionStore({path: __dirname+'/tmp/sessions'})
+    });
 app.use(session);
+app.set('trust proxy', true);
 
 //----------------------------
 // Configure the local strategy for use by Passport.
@@ -94,7 +101,7 @@ app.get('/logout', function(req, res){
 });
 
 var http = require('http').Server(app);
-var io = require('socket.io')(http);
+var io = require('socket.io')(http, { cookie: false });
 var iosess = require('socket.io-express-session');
 io.use(iosess(session));