next-auth
next-auth copied to clipboard
nextauthjs
WIP Implement session-cookie with Session expiration
☕️ Reasoning
Session cookies which are cleared upon closing the browser (with expires: Session) is a safety feature which has been requested and discussed multiple times (see https://github.com/nextauthjs/next-auth/issues/2534 and https://github.com/nextauthjs/next-auth/issues/974). This pull request is more of a proof-of-concept and is lacking tests & documentation but I hope it well serve as a starting point for further discussion in order to get the feature properly implemented.
You can now try the feature by starting the development app (npm run dev:app) and setting the maxAge: false in the next-auth options.
🧢 Checklist
- [ ] Documentation
- [ ] Tests
- [ ] Ready to be merged
🎫 Affected issues
Fixes: #2534
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Ignored Deployment
| Name | Status | Preview | Updated |
|---|---|---|---|
| next-auth | ⬜️ Ignored (Inspect) | Jun 9, 2022 at 8:50AM (UTC) |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Heads up, this might not work: https://github.com/nextauthjs/next-auth/issues/2534#issuecomment-989041887
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#:~:text=Warning%3A%20Many%20web%20browsers%20have%20a%20session%20restore%20feature%20that%20will%20save%20all%20tabs%20and%20restore%20them%20the%20next%20time%20the%20browser%20is%20used.%20Session%20cookies%20will%20also%20be%20restored%2C%20as%20if%20the%20browser%20was%20never%20closed.
Heads up, this might not work: #2534 (comment)
While this might be true, I still think session-expiration is a security enhancement. I'm thinking about those not-so-tech-savvy people using public computers who might not remember to log out. I don't think session-restoration (also known as the "Continue where I left off" feature) in public computers is commonplace, and users shouldn't be able to access those settings.
Please refer to the MDN documentation I linked to. Modern browsers simply don't delete sessions even when closing the browser instance, so this will have no effect on security, nor will it log out users, unfortunately.
Please refer to the MDN documentation I linked to. Modern browsers simply don't delete sessions even when closing the browser instance, so this will have no effect on security, nor will it log out users, unfortunately.
I did read it, and in my opinion, stating that modern browsers don't delete sessions upon close is an over-interpretation of the cited warning. Yes, if the "continue where I left off" feature is enabled, this happens. But in public computers this shouldn't be enabled, and in the browsers that I tested (latest Chrome on Linux and macOS, Safari on macOS), cookies with expires: Session are deleted. On macOS you have to close the browser from the dock. But when you do, session cookies are deleted. Have you tried it yourself?
Even if there are some corner cases with cookie deletion in certain browsers / OSs, it's an extra layer of security and doesn't make anything less secure. Or do you think, that implementing a "remember me" feature encourages users to not tick it & to not log out?
I've tried both Firefox and Chrome on my Linux machine and I believe the only way not to let the browser restore the cookies was to kill the browser process, which a normal user won't do.
Admittedly this was a few months ago the last time I checked this (around when the first request about this appeared)
FWIW, I am not against this, only in my experience, this wasn't stable enough in modern browsers to be useful but we'll revisit it then to see if things have changed lately.
My fear is that this can backfire if not consistent in browsers... If you set the expiry to Session and the browser restores it anyway, suddenly the user will never be logged out, which can easily be solved by a very low session expiry time.
I would like to check on the status of this PR. I would love to have session-cookie functionality with NextAuth...
@balazsorban44 iron-session allows this to be configurable, https://github.com/vvo/iron-session#session-cookies I'm not sure I'm understanding the reasoning of it may not work on all browsers, surely that's for who ever is configuring it to risk
Hi @aleehedl @balazsorban44, let's find closure for this PR 🤝 in summary, I think the net benefit of this feature won't outweigh the complexity/maintenance burden it brings because of session cookie (without Expires) would still be kept by modern browsers, leading to unexpected behaviors.
I am going to close this PR for now due to a long period of inactivity. If we see enough interests on the feature, we shall revisit it again.
