search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.37k stars 3.41k forks source link

`getServerSession`, if called more than once, generate and appends multiple `next-auth.session_token` to `set-cookie` header to response object #7485

Open bboyz269 opened 1 year ago

bboyz269 commented 1 year ago

Environment

next 12.1.5
react 18.0.0
next-auth 4.20.1

Reproduction URL

-

Describe the issue

I have an API route that invokes getServerSession more than once. It's response header set-cookie was bloated with next-auth.session_token to the point HPE_HEADER_OVERFLOW was throw in proxy server.

const handler: NextApiHandler = async (req, res) => {
    const data1 = await fetchData1(req, res)
    const data2 = await fetchData2(req, res)
}

const fetchData1 = async(req, res) => {
    await getServerSession(req, res, conf)
    ...
}
const fetchData2 = async(req, res) => {
    await getServerSession(req, res, conf)
    ...
}

image

How to reproduce

-

Expected behavior

Consider that method name is "getServerSession", multiple calls should still generate and set to header only once (would be better if we can detect and re-use previous call result)

Code in question

https://github.com/nextauthjs/next-auth/blob/b96f01319c751c7d62433c24fdb9f3f8f1e572c1/packages/next-auth/src/next/index.ts#L210-L222

rahulsivalenka commented 4 months ago

I see the same issue in v5 as well. I am using auth as middleware in a nextjs app. Post successful login from the auth provider's login page, it redirects to home page with too many Set-Cookie headers in the response:

image

Any resolution to this issue or am I doing something wrong.