Skip to content

fix(auth): scope OAuth session cookie via secure + AUTH_COOKIE_PREFIX#377

Merged
ben-fornefeld merged 2 commits into
mainfrom
t/auth4
Jun 9, 2026
Merged

fix(auth): scope OAuth session cookie via secure + AUTH_COOKIE_PREFIX#377
ben-fornefeld merged 2 commits into
mainfrom
t/auth4

Conversation

@tvi

@tvi tvi commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Set the Auth.js OAuth session cookie explicitly with the __Secure- prefix and an optional AUTH_COOKIE_PREFIX. Cookies are scoped by host+path+name (not port), so multiple local dashboards on different localhost ports would otherwise share the default session cookie and clobber each other.

@cla-bot cla-bot Bot added the cla-signed label Jun 9, 2026
@vercel

vercel Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Ready Ready Preview, Comment Jun 9, 2026 9:38pm
web-juliett Ready Ready Preview, Comment Jun 9, 2026 9:38pm

Request Review

@cursor

cursor Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

Low Risk
Session cookie naming and flags only; production behavior follows standard secure cookies unless AUTH_COOKIE_PREFIX is set locally.

Overview
Multiple local dashboards on different localhost ports shared the default Auth.js OAuth session cookie and overwrote each other’s sessions because cookies are not scoped by port.

The OAuth NextAuth config now sets useSecureCookies from production on Vercel, uses the __Secure- cookie name prefix in production, and optionally prefixes the session cookie name with AUTH_COOKIE_PREFIX so each local instance can use a separate cookie.

Reviewed by Cursor Bugbot for commit fa6ae50. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed Jun 9, 2026
View reviewed changes

@cursor cursor Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Comment thread src/auth.ts
@tvi
fix(auth): scope OAuth session cookie via secure + AUTH_COOKIE_PREFIX
9f7e924 
Set the Auth.js OAuth session cookie explicitly with the __Secure- prefix
and an optional AUTH_COOKIE_PREFIX. Cookies are scoped by host+path+name
(not port), so multiple local dashboards on different localhost ports
would otherwise share the default session cookie and clobber each other.
@ben-fornefeld ben-fornefeld merged commit 33db5af into main Jun 9, 2026
10 checks passed
@ben-fornefeld ben-fornefeld deleted the t/auth4 branch June 9, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@ben-fornefeld ben-fornefeld ben-fornefeld approved these changes

@drankou drankou Awaiting requested review from drankou drankou is a code owner

@huv1k huv1k Awaiting requested review from huv1k huv1k is a code owner

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tvi @ben-fornefeld