I have deployed nextjs application with next-auth for authentication. But When I sign-out from my application I don’t clear session. When I refresh I the session is still there.
Note: I have deployed same application on vercel and it’s working fine.
After debugging more the cookies are being updated in server action.
I’ve recently found a similar issue. I managed to do some updates in my code to get my site to work as expected. However, I feel it is important that Netlify review the issue and take some actions, either fixing the problem or updating the documentation on how Nextjs should be configured to work as expected in Netlify.
The issue in a nutshell
It seems that Netlify’s server returns multiple “Set-Cookie” values in a different order causing a session to never be deleted.
Description
If you follow the tutorial on the video, when the user clicks on signout, then gets redirected back to the login page.
If you check the dev tools and the Nertwork tab, you can see that in the Response Headers there are 2 “Set-Cookies” values for the session. When you test this locally during development, or start your local server after running a build, or even deploy to Vercel, you’ll see the 2 Cookies.
This causes the session to not being deleted, instead is reset. The user might believe they have been logged out, but if they refresh the page, then they’ll be logged in again.
How to replicate the issue
I’ve created a separate project to demonstrate the issue. I have deployed the same code on Vercel and Netlify to show you the different behaviours.
I’ve made this video to explain the problem and how to replicate it:
Intructions:
To better understand the problem, please follow the steps in both Vercel and Netlify versions and compare the results.
Write any email and click login. You’ll see the data of the logged in user at the bottom and a Logout button.
Refresh the page (IMPORTANT)
Click on the “Logout” button. You’ll see the email input box and the Login again.
Check the cookie in the dev Tools, you’ll see that the session cookie was not removed, it stays there.
Refresh the browser. You’ll see that you are still logged in.
You can check the code here:
Could you please help us understand what else needs to be done to get NextJS to work property in your servers. Help us understand a bit more the Response headers of Netlify, why are they getting switched in order.
Note: I do believe the example in the Youtube video needs some improvement as we shouldn’t be sending the 2 cookies in the response. Either way, the issue here is not that, the issue here is understanding why the header responses we get from Netlify are in different order.
While I can file an issue to investigate the difference in cookie order, my question would be, why is your application sending 2 cookies with the same name in the first place?
I don’t think that’s the actual issue. The actual issue is the one that you brushed off as you should not have 2 cookies.
Thanks for your response and providing additional recommendations based on the HTTP standards.
However, my intention is to also understand how the headers are getting returned by Netlify and why even tho, it is not a good practice, they are not in the same order as other servers, specially the same way as the local dev servers you get when you work on a nextjs project locally.
As I mentioned in my original post, I have done my fixes on my real project and making sure that I’m only returning a single Cookie.
I created this posts because I feel there might be more people doing the same mistake as there is a youtube video that explains how to implement Authentication in a way that will return these double cookies.
There are several layers involved in passing the headers back to the client and the issue could be in any of those layers. Like I mentioned before, I can ask the devs to check that and potentially even sync with some other server, but:
They might ask me the same question I asked you, “why is the HTTP standard not being followed?”. I could be wrong and they might just fix it, but generally we are not inclined to solve issues that are caused due to going against standards.
The devs already have a lot of issues currently to work on, so I’m a bit hesitant to add another issue to their plate, especially when the issue is not completely caused by an error on Netlify.
It’s a very specific issue (caused by doing something out-of-standard), so I’m not in favour of submitting it for docs.
Just because Vercel (or maybe some other servers) return the headers in a specific order, it doesn’t make it the only (correct) way to do so. When something goes against the standards, the problem is not following the standards.
Thank you for your detailed response. I completely agree with your feedback. As developers, we sometimes focus on getting things to work and may overlook documented standards like this one.
I’m happy helping the community by just leaving these comments here in case they find themselves in the same situation.
I am also content with leaving these comments for others who might face the same issue in the future. I have also reported added some comments to an issue reported in the nextjs project to improve the cookies.set() function to prevent these unwanted behaviour.
I can confirm this is happening only on Netlify. I have a next 14 app with next-auth, the signout function is to deleting the cookies. After reloading the session is still there