search

nuxt-community / auth-module

Zero-boilerplate authentication support for Nuxt 2
https://auth.nuxtjs.org
MIT License
1.94k stars 925 forks source link

Auth.* cookie should not be set if the user isn't logged in #1846

Open sdboer78 opened 1 year ago

sdboer78 commented 1 year ago

Version

module: 5.0.0-1667386184.dfbbb54 nuxt: 2.15.8

Nuxt-auth default behavior is to set an auth-strategy set-cookie header on each page-view. This results in page not being cached in caching systems.

Referring to: https://github.com/nuxt-community/auth-module/issues/1029

Also CloudFlare has the default behavior to ignore caching when the application has a set-cookie in the response: https://developers.cloudflare.com/cache/about/default-cache-behavior/#cloudflare-cache-responses:~:text=The%20Set%2DCookie%20header%20exists. Its hard, or maybe even not possible to change this behavior.

So when using the nuxt-auth module no page will be cached in cache systems like CloudFlare, Varnish, Nginx-caching, Apache-caching, etc.

Nuxt-auth should not set any auth cookie when user is not logged in.

cyppher commented 1 year ago

+1

The set-cookie header has same impact as setting cache control headers to private, no-store, no-cache, or max-age=0. In effect Nuxt SSR now states cache should not be activated for this resource, even if it's a non protected page. Thus: bypassing the cache is a result of this header and should be resolved in this module imho.