req.session.destroy() does not remove cookies with the latest version of NextJS when hosting on Vercel
#274
Comments
|
Thanks for the detailed bug report and first analysis.
I am doing some tests right now, let me know how it goes on your side |
|
More info on the issue: this is because of the caching mechanism. Now why has it changed on the latest Next.js versions: I don't know and I think you should write to the Vercel support to know more. A possible workaround for now would be to manually set caching headers (informing not to cache) on all your API routes that are setting up cookies like login and logout. |
I have tried to manually set the headers |
|
This might be the related change https://github.com/vercel/next.js/pull/18986/files |
|
Hey there @dpyzo0o there's definitely something strange that changed between Vercel/Next.js, in the meantime you can set Let me know! |
|
@vvo Thanks, it works. |
|
@dpyzo0o I just updated the next-iron-session repository and now recommend another solution: just make sure to call any route that uses destroy via a POST request. Most proxies and browsers (100%?) will never cache POST requests unless badly or weirdly configured. The two solutions have the same effect, but using POST for logout is more common practice I think. Thanks! |
Before this commit, our examples were showcasing the use of GET /logout. And /logout would then session.destroy(). But GET requests can be cached (cdns, browsers) which makes logout sometimes fails. There are multiple ways to solve this but ultimately logout routes should be POST requests, this is a common way to solve this. fixes #274 Also upgraded most deps
|
🎉 This issue has been resolved in version 4.1.11 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Everything works on: Does not work on Vercel with: |
|
hey @Deivaras I believe this notification was long due sorry about that. Are you using POST requests for logout routes now? I do have that double clicks to logout issue yup, did not investigate (not login though, login is always OK). |
Yes, I'm doing POST request on logout fetch and also on Chrome sometimes when trying to login (after first click) I see the cookie and then you have to click login the second time, while cookie being replaced and only then you got logged in. |
|
Hey there, I believe this is now fixed, have a look at the updated example: 7ffc8bb I cannot reproduce this bad behavior anymore. |
|
Facing this issue now. import { NextApiRequest, NextApiResponse } from 'next';
import { withSessionRoute } from '@utils/iron-router';
const handler = async (req: NextApiRequest, res: NextApiResponse) => {
req.session.destroy();
res.send({ ok: true });
};
export default withSessionRoute(handler);We receive |
|
Changing my endpoint to POST seems to have fixed it now |
|
work out with this // ...
await new Promise<void>((resolve, reject) => {
req.session.destroy((err) => {
if (err) {
reject(err)
} else {
res.clearCookie('ACCESS_TOKEN', {
domain: '.xxx.com'
})
res.clearCookie('REFRESH_TOKEN', {
domain: '.xxx.com'
})
res.clearCookie('connect.sid', {
domain: '.xxx.com'
})
resolve()
}
})
})
// ... |
|
The problem is not solved yet?! UPDATE: |
|
Version 13: |
Hi, I have come across a very annoying bug recently. If you upgrade nextjs to the latest version, which is 10.0.3, and deploy the application on Vercel, the method
req.session.destroy()does not remove the cookies.Here is a repo to reproduce this issue, it's just a redeployment of the next-icon-session's nextjs example but with nextjs upgraded to 10.0.3.
Steps to reproduce:
next-iron-session's nextjs example:
after upgrading nextjs to 10.0.3:
Additional information: This issue only happens when deploying on vercel, it works correctly when I run it locally.
Edit: After downgrading nextjs to 10.0.0, it works correcly on vercel.
The text was updated successfully, but these errors were encountered: