Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Many set-cookie headers are sent for a single response #310

Open
josselinonduty opened this issue Dec 22, 2024 · 2 comments
Open

Many set-cookie headers are sent for a single response #310

josselinonduty opened this issue Dec 22, 2024 · 2 comments

Comments

@josselinonduty
Copy link

josselinonduty commented Dec 22, 2024
edited
Loading

I am implementing my custom local provider.

Here are the response headers for the login endpoint:

HTTP/1.1 201 Created
set-cookie: nuxt-session=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: nuxt-session=; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: nuxt-session=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: nuxt-session=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax
content-type: application/json
[...]

I feel like I shouldn't get that much new session ids. For one request, 3 sessions are created and 1 is destroyed?

This is my implementation, which could be one of the causes of this havoc:
/server/api/auth/login.post.ts

export default defineEventHandler(async (event) => {
  // log(getResponseHeaders()) n°1

  await requireGuestSession(event);
  // log(getResponseHeaders()) n°2

  const body = await readBody<MyUserInterface>(event, { strict: true });
  const user = await accountController.verify(body);

  await replaceUserSession(event, { user });
  // log(getResponseHeaders()) n°3

  setResponseStatus(event, 201);
  return user;
});

logs:

[Object: null prototype] {} // n°1
[Object: null prototype] { // n°2
  'set-cookie':
   [ 'session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax' ] }
[Object: null prototype] { // n°3
  'set-cookie':
   [ 'session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax',
     'session_id=; Path=/; HttpOnly; Secure; SameSite=Lax',
     'session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax',
     'session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax' ] }

After calling requireGuestSession, which internal just uses getUserSession, a new session id is set. Why is that so?

Then, after replacing the user session, 3 different cookies are set, 1 empty, and 2 new session ids. Is it really necessary?

Please feel free to let me know anything I've missed, I feel it is the case (:
@atinux
Copy link
Owner

atinux commented Dec 23, 2024

But what is the main HTTP response that you receive in the browser?

@josselinonduty
Copy link
Author

But what is the main HTTP response that you receive in the browser?

If you talk about the headers from the browser's pov, it is the same thing

HTTP/1.1 200 OK
set-cookie: session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: session_id=; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: session_id=<redacted>; Path=/; HttpOnly; Secure; SameSite=Lax
content-type: application/json
date: Sat, 04 Jan 2025 18:30:23 GMT
connection: close
content-length: 293

However, if you're talking about the body of the response, everything's right. Just useless headers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atinux @josselinonduty