search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.93k stars 3.52k forks source link

Two session token cookies are created - one for domain and another for subdomain - even after explicitly setting the domain #8222

Open anshkumar23 opened 1 year ago

anshkumar23 commented 1 year ago

Environment

OS: Windows

Binaries: node v18.17.0 npm v9.6.7

Libraries: next v13.4.9 next-auth v4.22.1 react v18.2.0

Reproduction URL

private repo

Describe the issue

Hi,

I am using next-auth v4.22.1 and we are seeing two session token cookies are created. We have explicitly set the domain as the root domain. Yet, one session cookie is created for root domain and another for subdomain. As a result, the signOut does not work. It just reloads the page and session cookies are updated.

image

How to reproduce

Hi,

I am using next-auth v4.22.1 and we are seeing two session token cookies are created. We have explicitly set the domain as the root domain. Yet, one session cookie is created for root domain and another for subdomain. As a result, the signOut does not work. It just reloads the page and session cookies are updated.

image

Expected behavior

  1. Sign out should clear the session cookies and should logout the user from the session.
  2. Only one session token cookies should be created and should be created for domain that is set in the configuration.
Dragosp33 commented 3 months ago

Have you found what caused this? I'm running into the same problem now

joaogabriels commented 2 months ago

Any updates? I'm also running into the same problem.

Dragosp33 commented 2 months ago

Any updates? I'm also running into the same problem.

@joaogabriels Check the response to this issue, see if it helps: #11570 . Basically, my problem was that auth.config export runs in a middleware on edge environment which creates its own cookie, then another session is created by the auth.ts export where cookies were set

joaogabriels commented 2 months ago

Hey @Dragosp33,

I saw your solution and comment in the repository, and I tried to implement it in my project. However, as I am using a configuration with a pages directory, I couldn't apply the solution successfully.

I would like to describe my problem in more detail. The session cookie for my application was set to the domain abc.site.com, but I updated the configuration to .site.com. In the production environment, some users were already logged in, and the cookies from the old domain are conflicting with the new domain cookies, preventing the correct session retrieval.

I tried deleting the old cookies, but that seems to be impossible. So far, I am still looking for a solution to this problem.