search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.54k stars 3.45k forks source link

/auth/session duplicate Set-Cookie header #11370

Open Rikaelus opened 3 months ago

Rikaelus commented 3 months ago

Environment

System: OS: Linux 5.15 Ubuntu 24.04 LTS 24.04 LTS (Noble Numbat) CPU: (4) x64 AMD Ryzen 7 3700X 8-Core Processor Memory: 14.34 GB / 15.62 GB Container: Yes Shell: 5.2.21 - /bin/bash Binaries: Node: 18.19.1 - /usr/bin/node npm: 9.2.0 - /usr/bin/npm npmPackages: @auth/unstorage-adapter: ^2.0.0 => 2.2.0 next: latest => 14.2.4 next-auth: beta => 5.0.0-beta.19 react: ^18.2.0 => 18.3.1

Also experienced in: node:22-alpine Docker environment w/ "react": "18.3.0", "next": "^14.2.3", "next-auth": "^5.0.0-beta.19",

Reproduction URL

https://github.com/Rikaelus/nextauth-bug-cookies

Describe the issue

Post-authentication calls to /auth/session result in two authjs.session-token cookies being set in the HTTP headers. While they have different hash values I believe they ultimately store the same underlying information and their difference is consistently just one bite. I've witnessed this with both the CredentialsProvider (as in the example project) and a custom OIDC provider.

Calls to similar endpoints, such as /auth/providers only returns the single cookie.

This is particularly problematic with larger cookies (our actual use case is just shy of 4K) due to the double cookies exceeding our load balancer header size allowances.

image

How to reproduce

Expected behavior

A lone authjs.session-token cookie being set.

martinddesigns commented 2 months ago

I have the same issue. Did you manage to fix it?

Rikaelus commented 2 months ago

I have the same issue. Did you manage to fix it?

I did not. We ended up having to spin up an entirely separate HTTP1-based load balancer on OCI so we could expand the allowed HTTP header size.

Torrien commented 1 month ago

Similar issue being experienced in my organization. But cookie is actually triplicated. This is only happening on certain paths of the service, so we are looking into it possibly being a bad implementation of a callback function from our part. If not I will bring more details.