Next Auth session not clearing

I have deployed nextjs application with next-auth for authentication. But When I sign-out from my application I don’t clear session. When I refresh I the session is still there.

Note: I have deployed same application on vercel and it’s working fine.

After debugging more the cookies are being updated in server action.

Next.js Server Handler Logs

Browser cookies

As you can see cookie is still there in browser.

@juttameerhamza This sounds like something that would be better raised with the Next community:

The issue is not related to nextjs and next auth. I have tested on local machine and on vercel as well its working fine on them.

@juttameerhamza Thanks for adjusting to confirm that it’s working on Vercel.

Hopefully Netlify’s team can pinpoint why it’s behaving differently on Netlify.

Can’t do or say much without a reproduction. Let us know if you have one @juttameerhamza.

Hi @hrishikesh,

I’ve recently found a similar issue. I managed to do some updates in my code to get my site to work as expected. However, I feel it is important that Netlify review the issue and take some actions, either fixing the problem or updating the documentation on how Nextjs should be configured to work as expected in Netlify.

The issue in a nutshell
It seems that Netlify’s server returns multiple “Set-Cookie” values in a different order causing a session to never be deleted.

Description

  • If you follow the tutorial on the video, when the user clicks on signout, then gets redirected back to the login page.
  • If you check the dev tools and the Nertwork tab, you can see that in the Response Headers there are 2 “Set-Cookies” values for the session. When you test this locally during development, or start your local server after running a build, or even deploy to Vercel, you’ll see the 2 Cookies.

    Note that the last cookie resets the session.
    -Now, if you where to do the exact same test in Netlify, you get an inverted response:

This causes the session to not being deleted, instead is reset. The user might believe they have been logged out, but if they refresh the page, then they’ll be logged in again.

How to replicate the issue

I’ve created a separate project to demonstrate the issue. I have deployed the same code on Vercel and Netlify to show you the different behaviours.

I’ve made this video to explain the problem and how to replicate it:

Intructions:
To better understand the problem, please follow the steps in both Vercel and Netlify versions and compare the results.

Vercel Version:

  1. Go to https://auth-poc-next-kappa.vercel.app/
  2. Write any email and click login. You’ll see the data of the logged in user at the bottom and a Logout button.
  3. Refresh the page (IMPORTANT)
  4. Click on the “Logout” button. You’ll see the email input box and the Login again.
  5. Check the cookies in the Dev tools, and you’ll see that the session cookie has been removed.
  6. Refresh the browser. You will see that the user is actually logged out.

Netlify Version:

  1. Go to https://test-nextjs-auth-basic-real.netlify.app/
  2. Write any email and click login. You’ll see the data of the logged in user at the bottom and a Logout button.
  3. Refresh the page (IMPORTANT)
  4. Click on the “Logout” button. You’ll see the email input box and the Login again.
  5. Check the cookie in the dev Tools, you’ll see that the session cookie was not removed, it stays there.
  6. Refresh the browser. You’ll see that you are still logged in.

You can check the code here:

Could you please help us understand what else needs to be done to get NextJS to work property in your servers. Help us understand a bit more the Response headers of Netlify, why are they getting switched in order.

Note: I do believe the example in the Youtube video needs some improvement as we shouldn’t be sending the 2 cookies in the response. Either way, the issue here is not that, the issue here is understanding why the header responses we get from Netlify are in different order.

1 Like

While I can file an issue to investigate the difference in cookie order, my question would be, why is your application sending 2 cookies with the same name in the first place?

I don’t think that’s the actual issue. The actual issue is the one that you brushed off as you should not have 2 cookies.

Here’s the official HTTP standard: RFC 6265: HTTP State Management Mechanism (rfc-editor.org), quoting:

To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.

If you do that, it’s up to the browser to pick the header as described in this section: RFC 6265: HTTP State Management Mechanism (rfc-editor.org)

Hi @hrishikesh,

Thanks for your response and providing additional recommendations based on the HTTP standards.

However, my intention is to also understand how the headers are getting returned by Netlify and why even tho, it is not a good practice, they are not in the same order as other servers, specially the same way as the local dev servers you get when you work on a nextjs project locally.

As I mentioned in my original post, I have done my fixes on my real project and making sure that I’m only returning a single Cookie.

I created this posts because I feel there might be more people doing the same mistake as there is a youtube video that explains how to implement Authentication in a way that will return these double cookies.

Maybe, it’s worth adding a small statement in the Troubleshooting area of this article Next.js 13.5+ on Netlify | Netlify Docs, to mention this.

There are several layers involved in passing the headers back to the client and the issue could be in any of those layers. Like I mentioned before, I can ask the devs to check that and potentially even sync with some other server, but:

  • They might ask me the same question I asked you, “why is the HTTP standard not being followed?”. I could be wrong and they might just fix it, but generally we are not inclined to solve issues that are caused due to going against standards.
  • The devs already have a lot of issues currently to work on, so I’m a bit hesitant to add another issue to their plate, especially when the issue is not completely caused by an error on Netlify.

It’s a very specific issue (caused by doing something out-of-standard), so I’m not in favour of submitting it for docs.

Just because Vercel (or maybe some other servers) return the headers in a specific order, it doesn’t make it the only (correct) way to do so. When something goes against the standards, the problem is not following the standards.

@hrishikesh

Thank you for your detailed response. I completely agree with your feedback. As developers, we sometimes focus on getting things to work and may overlook documented standards like this one.

I’m happy helping the community by just leaving these comments here in case they find themselves in the same situation.

I am also content with leaving these comments for others who might face the same issue in the future. I have also reported added some comments to an issue reported in the nextjs project to improve the cookies.set() function to prevent these unwanted behaviour.

1 Like

I can confirm this is happening only on Netlify. I have a next 14 app with next-auth, the signout function is to deleting the cookies. After reloading the session is still there

If this is becasue you’re sending multiple cookies with the same name, that’s not a Netlify issue. If not, please share a reproduction.

@dnpg

how did you make it return a single cookie?