Thanks to visit codestin.com
Credit goes to github.com

Skip to content

During logout, both a blank and non-blank __Secure-authjs.session-token Set-Cookie header are sent #12907

New issue
New issue
Closed
Closed
During logout, both a blank and non-blank __Secure-authjs.session-token Set-Cookie header are sent#12907
Labels
bugSomething isn't workinginvalid reproductionThe issue did not have a detectable valid reproduction URLtriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
@NickCrews

Description

@NickCrews
NickCrews
opened on Apr 25, 2025

Environment

(The environment from https://github.com/nextauthjs/next-auth-example)

  System:
    OS: Linux 6.8 Ubuntu 20.04.6 LTS (Focal Fossa)
    CPU: (2) x64 AMD EPYC 7763 64-Core Processor
    Memory: 5.96 GB / 7.75 GB
    Container: Yes
    Shell: 5.0.17 - /bin/bash
  Binaries:
    Node: 20.19.0 - ~/nvm/current/bin/node
    Yarn: 1.22.22 - /usr/bin/yarn
    npm: 10.8.2 - ~/nvm/current/bin/npm
    pnpm: 10.6.4 - ~/nvm/current/bin/pnpm
  npmPackages:
    @auth/unstorage-adapter: ^2.0.0 => 2.9.0 
    next: latest => 15.3.1 
    next-auth: beta => 5.0.0-beta.27 
    react: ^18.2.0 => 18.3.1

Reproduction URL

https://next-auth-example.vercel.app/

Describe the issue

During the logout process, next-auth sends a Set-Cookie header to the client to inform the browser to clear the __Secure-authjs.session-token cookie. Unfortunately, it ALSO sends a second Set-Cookie header that revalidates the cookie. See the screenshot below (repro steps below), you can see the response includes two Set-Cookie headers:

  • __Secure-authjs.session-token=<encrypted token>; Path=/; Expires=Sun, 25 May 2025 22:22:36 GMT; HttpOnly; Secure; SameSite=Lax
  • __Secure-authjs.session-token=; Path=/; Max-Age=0; Secure; HttpOnly; SameSite=lax
Image

The problem is that this is undefined behavior, according to https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1, in particular "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name."

For some server runtimes, such as vercel and node, the blank cookie appears second, while on others, such as cloudflare workers and netlify, the blank cookie appears first. The outcome is that, at least on Chrome, the browser chooses to use the LAST header. So, if you use next-auth on cloudflare or netlify, the non-blank cookie is second, and thus the user is never signed out.

I found this question on a netlify help forum and this pointed me in the right direction.
https://answers.netlify.com/t/next-auth-session-not-clearing/119104/13

How to reproduce

  1. go to https://next-auth-example.vercel.app/
  2. login using any method
  3. open devtools, go to the network tab, and clear the network log
  4. hit the logout button
  5. look at the headers returned in the response

Expected behavior

The solution I would like to see is that next-auth only sends the blank cookie on logout. I wonder if the non-blank cookie is coming from middleware that is automatically refreshing the cookie on every request?

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinginvalid reproductionThe issue did not have a detectable valid reproduction URLtriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions