Thanks to visit codestin.com
Credit goes to github.com

Skip to content

During logout, both a blank and non-blank __Secure-authjs.session-token Set-Cookie header are sent #12907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NickCrews opened this issue Apr 25, 2025 · 1 comment
Closed

During logout, both a blank and non-blank __Secure-authjs.session-token Set-Cookie header are sent #12907

NickCrews opened this issue Apr 25, 2025 · 1 comment
Labels
bug Something isn't working invalid reproduction The issue did not have a detectable valid reproduction URL triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@NickCrews
Copy link

Environment

(The environment from https://github.com/nextauthjs/next-auth-example)

  System:
    OS: Linux 6.8 Ubuntu 20.04.6 LTS (Focal Fossa)
    CPU: (2) x64 AMD EPYC 7763 64-Core Processor
    Memory: 5.96 GB / 7.75 GB
    Container: Yes
    Shell: 5.0.17 - /bin/bash
  Binaries:
    Node: 20.19.0 - ~/nvm/current/bin/node
    Yarn: 1.22.22 - /usr/bin/yarn
    npm: 10.8.2 - ~/nvm/current/bin/npm
    pnpm: 10.6.4 - ~/nvm/current/bin/pnpm
  npmPackages:
    @auth/unstorage-adapter: ^2.0.0 => 2.9.0 
    next: latest => 15.3.1 
    next-auth: beta => 5.0.0-beta.27 
    react: ^18.2.0 => 18.3.1

Reproduction URL

https://next-auth-example.vercel.app/

Describe the issue

During the logout process, next-auth sends a Set-Cookie header to the client to inform the browser to clear the __Secure-authjs.session-token cookie. Unfortunately, it ALSO sends a second Set-Cookie header that revalidates the cookie. See the screenshot below (repro steps below), you can see the response includes two Set-Cookie headers:

  • __Secure-authjs.session-token=<encrypted token>; Path=/; Expires=Sun, 25 May 2025 22:22:36 GMT; HttpOnly; Secure; SameSite=Lax
  • __Secure-authjs.session-token=; Path=/; Max-Age=0; Secure; HttpOnly; SameSite=lax
Image

The problem is that this is undefined behavior, according to https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1, in particular "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name."

For some server runtimes, such as vercel and node, the blank cookie appears second, while on others, such as cloudflare workers and netlify, the blank cookie appears first. The outcome is that, at least on Chrome, the browser chooses to use the LAST header. So, if you use next-auth on cloudflare or netlify, the non-blank cookie is second, and thus the user is never signed out.

I found this question on a netlify help forum and this pointed me in the right direction.
https://answers.netlify.com/t/next-auth-session-not-clearing/119104/13

How to reproduce

  1. go to https://next-auth-example.vercel.app/
  2. login using any method
  3. open devtools, go to the network tab, and clear the network log
  4. hit the logout button
  5. look at the headers returned in the response

Expected behavior

The solution I would like to see is that next-auth only sends the blank cookie on logout. I wonder if the non-blank cookie is coming from middleware that is automatically refreshing the cookie on every request?
@NickCrews NickCrews added bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Apr 25, 2025
@github-actions github-actions bot added the invalid reproduction The issue did not have a detectable valid reproduction URL label Apr 25, 2025
@github-actions GitHub Actions
Copy link

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository. Example: (NextAuth.js example repository).

The bug template that you filled out has a section called "Reproduction URL", which is where you should provide the link to the reproduction.

  • If you did not provide a link or the link you provided is not hosted on github.com outside of the next-auth organization, we will close the issue.
  • If you provide a link to a private repository, we will close the issue.
  • If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

  • If you did not provide a link hosted on github.com outside of the next-auth organization, please open a new issue with a link to such a reproduction.
  • If you provided a link to a private repository, please open a new issue with a link to a public repository.
  • If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

  • Remove any code that is not related to the issue. (pages, API Routes, components, etc.)
  • Remove any dependencies that are not related to the issue.
  • Remove any third-party service that would require us to sign up for an account to reproduce the issue.
  • Remove any environment variables that are not related to the issue.
  • Remove private packages that we do not have access to.
  • If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every issue and monitor open issues for new comments.

However, sometimes we might miss a few due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

@github-actions github-actions bot locked and limited conversation to collaborators Apr 25, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working invalid reproduction The issue did not have a detectable valid reproduction URL triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NickCrews