Comments (17)
@dpyzo0o I just updated the next-iron-session repository and now recommend another solution: just make sure to call any route that uses destroy via a POST request. Most proxies and browsers (100%?) will never cache POST requests unless badly or weirdly configured.
The two solutions have the same effect, but using POST for logout is more common practice I think.
Thanks!
from iron-session.
Changing my endpoint to POST seems to have fixed it now
from iron-session.
The problem is not solved yet?!
UPDATE:
the request should be POST to solve the problem.
from iron-session.
Thanks for the detailed bug report and first analysis.
The failing version is 10.0.2. Now we need to:
- understand if they fixed a bug, which in turn made our code buggy (and we should update our code)
- or if they introduced a bug (and we need to find it, and they/we need to fix it)
- find/identity the right change here: https://github.com/vercel/next.js/releases/tag/v10.0.2
- or maybe the change in on the Vercel platform itself
I am doing some tests right now, let me know how it goes on your side
from iron-session.
More info on the issue: this is because of the caching mechanism. Now why has it changed on the latest Next.js versions: I don't know and I think you should write to the Vercel support to know more.
A possible workaround for now would be to manually set caching headers (informing not to cache) on all your API routes that are setting up cookies like login and logout.
from iron-session.
More info on the issue: this is because of the caching mechanism. Now why has it changed on the latest Next.js versions: I don't know and I think you should write to the Vercel support to know more.
A possible workaround for now would be to manually set caching headers (informing not to cache) on all your API routes that are setting up cookies like login and logout.
I have tried to manually set the headers res.setHeader('cache-control', 'public, max-age=0, must-revalidate')
and it does not seem to work. I'm not an expert on the http caching so I don't know if I'm doing the right way...
from iron-session.
This might be the related change https://github.com/vercel/next.js/pull/18986/files
from iron-session.
Hey there @dpyzo0o there's definitely something strange that changed between Vercel/Next.js, in the meantime you can set res.setHeader("cache-control", "no-store, max-age=0");
on your logout route and that should do it, even on Vercel.
Let me know!
from iron-session.
@vvo Thanks, it works.
from iron-session.
🎉 This issue has been resolved in version 4.1.11 🎉
The release is available on:
Your semantic-release bot 📦🚀
from iron-session.
🎉 This issue has been resolved in version 4.1.11 🎉
The release is available on:
Your semantic-release bot 📦🚀
Everything works on:
Google Chrome Version 88.0.4324.150 (Official Build) (64-bit) with
"next": "^10.0.6",
"next-iron-session": "^4.1.11"
on development and production on Vercel. Also sometimes it takes two clicks to login.
Does not work on Vercel with:
Firefox 85.0.2 (64-bit);
Firefox developer edition 86.0b8 (64-bit);
from iron-session.
hey @Deivaras I believe this notification was long due sorry about that.
Are you using POST requests for logout routes now? I do have that double clicks to logout issue yup, did not investigate (not login though, login is always OK).
from iron-session.
hey @Deivaras I believe this notification was long due sorry about that.
Are you using POST requests for logout routes now? I do have that double clicks to logout issue yup, did not investigate (not login though, login is always OK).
Yes, I'm doing POST request on logout fetch and also on Chrome sometimes when trying to login (after first click) I see the cookie and then you have to click login the second time, while cookie being replaced and only then you got logged in.
`
from iron-session.
Hey there, I believe this is now fixed, have a look at the updated example: 7ffc8bb
I cannot reproduce this bad behavior anymore.
from iron-session.
Facing this issue now.
import { NextApiRequest, NextApiResponse } from 'next';
import { withSessionRoute } from '@utils/iron-router';
const handler = async (req: NextApiRequest, res: NextApiResponse) => {
req.session.destroy();
res.send({ ok: true });
};
export default withSessionRoute(handler);
We receive ok
response but the session isn't destroyed when we try another api route straight after. Locally this works fine. On Vercel it doesn't for some reason.
from iron-session.
work out with this
// ...
await new Promise<void>((resolve, reject) => {
req.session.destroy((err) => {
if (err) {
reject(err)
} else {
res.clearCookie('ACCESS_TOKEN', {
domain: '.xxx.com'
})
res.clearCookie('REFRESH_TOKEN', {
domain: '.xxx.com'
})
res.clearCookie('connect.sid', {
domain: '.xxx.com'
})
resolve()
}
})
})
// ...
from iron-session.
Version 13:
After 3 hours, changing the request to POST solved the problem. Shouldn't this have been more explicit?
from iron-session.
Related Issues (20)
- NextJS 12 + Amplify = "Error: iron-session: Bad usage. Minimum usage is...." HOT 2
- I need to protect myself from XSS, CSRF or Broken authentication and session management vulnerabilities ? HOT 1
- Get slug from withIronSessionSsr HOT 1
- Jest test cases are failing throwing the error "TypeError: Cannot redefine property: session" HOT 1
- TypeError: res.getHeader is not a function HOT 2
- Package causing multiple response problem HOT 1
- v8 beta release, last tasks and discussions HOT 6
- session object empty on Apollo Server API Route
- Can i use iron-session with pages routes ? HOT 1
- Implementing iron-session with TRPC HOT 9
- Session cookie not created when static web app is sitting behind azure front door due to domain mismatch HOT 3
- Static maxAge
- v8 - Attaching session to request HOT 1
- Make properties in T for IronSession<T> optional (union with undefined)
- v6 and Next 13 pages middleware HOT 7
- Migration away from `withIronSessionApiRoute` HOT 3
- await session.save() fails to set cookie if cookies.set() is used after HOT 2
- session returned from `getIronSessionFromCookieStore` does not implement full interface HOT 1
- outdated dependency @types/cookie causes type mismatch HOT 1
- why getIronSession not work in middleware like in example (App router + client components, route handlers, and SWR) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iron-session.