/auth/session duplicate Set-Cookie header

[Rikaelus]

Environment

System: OS: Linux 5.15 Ubuntu 24.04 LTS 24.04 LTS (Noble Numbat) CPU: (4) x64 AMD Ryzen 7 3700X 8-Core Processor Memory: 14.34 GB / 15.62 GB Container: Yes Shell: 5.2.21 - /bin/bash Binaries: Node: 18.19.1 - /usr/bin/node npm: 9.2.0 - /usr/bin/npm npmPackages: @auth/unstorage-adapter: ^2.0.0 => 2.2.0 next: latest => 14.2.4 next-auth: beta => 5.0.0-beta.19 react: ^18.2.0 => 18.3.1

Also experienced in: node:22-alpine Docker environment w/ "react": "18.3.0", "next": "^14.2.3", "next-auth": "^5.0.0-beta.19",

Reproduction URL

https://github.com/Rikaelus/nextauth-bug-cookies

Describe the issue

Post-authentication calls to /auth/session result in two authjs.session-token cookies being set in the HTTP headers. While they have different hash values I believe they ultimately store the same underlying information and their difference is consistently just one bite. I've witnessed this with both the CredentialsProvider (as in the example project) and a custom OIDC provider.

Calls to similar endpoints, such as /auth/providers only returns the single cookie.

This is particularly problematic with larger cookies (our actual use case is just shy of 4K) due to the double cookies exceeding our load balancer header size allowances.

How to reproduce

• Download and start attached project
• Log in with the lone credentials configuration (will yield a workable session, albeit with no user data)
• Proceed directly to http://localhost:3000/auth/session and review response headers/cookies.

Expected behavior

A lone authjs.session-token cookie being set.