Session-token cookie not set

[Mikhail1Demianenko]

Question 💬

Hello community.
Thank you for an amazing library!

I am trying to create a nextjs app with many subdomains, such that the user can authenticate using the apex domain (no subdomain) and share the auth state across the rest subdomains.
This issue has been discussed here, here and documented here.

Basically, what is suggested is to add the following object into the object we pass to the NextAuth function in [...nextauth].js:

cookies: {
    sessionToken: {
      name: "next-auth.session-token",
      options: {
        domain: ".localhost",
        path: "/",
        httpOnly: true,
        sameSite: "lax",
        secure: false
      }
    }
  }

(In the object I hardcoded the values for local dev env, so it is easier to read)
With the key thing in the object being the dot before the domain.

Without this object, the cookie after login is set correctly:

And the cookies set in the browser are just 5 in total

However, with that object I have the following picture:

The session-token cookie has disappeared. And, of course, authentication status results in unauthenticated, even though a session gets created.

Moreover, browser now has 25 cookies set:

Having gone through all the above posts it seems to have worked for others, but sadly not for me

Does anyone have any idea what I am doing wrong?

Thank you!

How to reproduce ☕️

[...nextauth].js file with next-auth v.4.2.1:

const prisma = new PrismaClient();

export default NextAuth({
  adapter: PrismaAdapter(prisma),
  cookies: {
    sessionToken: {
      name: "next-auth.session-token",
      options: {
        domain: ".localhost",
        path: "/",
        httpOnly: true,
        sameSite: "lax",
        secure: false
      }
    }
  },
  providers: [
    Google({
      clientId: 'clientId',
      clientSecret: 'clientSecret'
    })
  ],
  secret: 'secret'
  session: {
    strategy: "database",
    maxAge: 30 * 24 * 60 * 60,
  },
  pages: {
    signIn: '/auth/login',
  }
})

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[umerjaved178]

Hey @Mikhail1Demianenko I am facing the same issue, as soon as I add this object

cookies: {
    sessionToken: {
      name: "next-auth.session-token",
      options: {
        domain: ".localhost",
        path: "/",
        httpOnly: true,
        sameSite: "lax",
        secure: false
      }
    }
  }

Session cookie won't get generated and thus result in an unauthenticated session.
It is a bug on next-auth side with the new version. I have experimentally installed v3 of next-auth, session is getting authenticated, cookie name is changing to my custom one, but ofcourse 'domain' is not working as it was not supported in that version
Team can you please look into this issue and moved it from discussion to BUGS

[umerjaved178]

@Mikhail1Demianenko 🚀
So nice of you man! you have saved my days ☺️ 😊

It is resolved

A few things to avoid for future readers:

1. I couldn't set 'http' on google console because I have selected a few scopes that need only 'https' connection if the domain is other than localhost
2. it is compulsory to set NEXTAUTH_URL to the new domain, you can't leave it empty else it will redirect you to localhost
3. domain value in cookies -> sessionToken must not be just 'test', it should be '.test.com'
4. As earlier mentioned by Mikhail, the problem is with local host domain (some browser security things), you have to change it to a custom domain in /etc/hosts/ file
5. sometimes 'states' error pops up, switch to incognito mode

[Mikhail1Demianenko]

Im glad it helped 😊

[jackrdye]

Hi there,

Thank you for your reply As the matter of fact, I also tried do set the cookie manually through browser and tried to change domain of already existing one. Result - the cookie wouldn't get set or got deleted. The problem therefore was not next-auth, I figured out later, but the localhost domain: there is a policy in browsers restraining you from adding a leading dot for localhost (i dont know the details) So what I did instead is I added the following lines to the /etc/hosts:

127.0.0.1	test.com
127.0.0.1	app.test.com

And the cookie was then available on app. subdomain. As a heads-up, if you go with this option, you will have to type test.com:3000 instead of localhost:3000 in the URL bar and /etc/hosts does not allow a wildcard subdomains, so I simply created another record like '127.0.0.1 sub.test.com', which is good enough for me to represent all subdomains for dev env

You are my savior <3. I feel like the docs could definitely be clearer on this setup. Spent 24 hours + on this ... (this should be included in the docs tbh)

[MatteoGauthier]

Hey @Mikhail1Demianenko @umerjaved178 @jackrdye ! Sorry to bother you, many people seem to have had this problem before you (including me), do you have a public repository or guide to solve this problem? Have a nice day!

[EPanni]

@Mikhail1Demianenko , sorry but how come adding those lines to /etc/hosts solves this problem if when someone else try to log in to the app ( from his/her local machine ) it will not work since they did not set it up?

[codingcaffeine]

mine works like this

import NextAuth, { NextAuthOptions } from "next-auth"
import GithubProvider from "next-auth/providers/github"
import { PrismaAdapter } from "@next-auth/prisma-adapter";
import prisma from "@/lib/prisma";

// For more information on each option (and a full list of options) go to
// https://next-auth.js.org/configuration/options
export const authOptions: NextAuthOptions = {
  adapter: PrismaAdapter(prisma),
 
  // https://next-auth.js.org/configuration/providers/oauth
  providers: [
    GithubProvider({
      clientId: process.env.GITHUB_ID as string,
      clientSecret: process.env.GITHUB_SECRET as string,
    }),
  ],
  secret: process.env.SECRET,
  session: {
    strategy: 'database'
  }
}

export default NextAuth(authOptions)

[smcelhinney]

I'd just like to add that it took me ages to figure this out - but it's mentioned in the first line of the original question. The NextAuth sessionCookie needs to be created on the apex domain, in order to be accessible across subdomains.

When I originally configured my Next.js project, I took sensible defaults which involved them creating a 308 Redirect from mydomain.dev -> www.mydomain.dev, which meant that I was effectively authing on a subdomain.

I had to remove this redirect (I wasn't using it anyway) and it worked.

[iiiok]

Next-Auth Session-token issues have been hindering me for half month.
Some time, unable to getSession after Login, some time unable to logout.
--------------Here is how it solved, update Ur next-auth library AND Ur NEXT library !
"next": "^13.3.1",
"next-auth": "^4.22.1",

[Strajk]

For people arriving here when googling for disappearing Session-token cookie:

Check that all your getServerSession(...) calls are passed same config as the third arg, as mentioned in docs

I had following in my codebase, and the second line caused session-token to be overridden to empty string, thus causing log out

getServerSession(ctx.req, ctx.res, authOptions) // in one file
getServerSession(ctx.req, ctx.res, {}) // in another file

[trevorpfiz]

anyone have success getting the session token cookie in subdomains when using "next-auth": "5.0.0-beta.4",? will update here if I figure anything out.

[trevorpfiz]

#9631

[trevorpfiz]

my current workaround is to not wrap the middleware with auth, I just use it like this:

export default async function middleware(req: NextRequest) {
  const url = req.nextUrl;
  const session = await auth();
  const isLoggedIn = !!session?.user;

[atalaykarahan]

Hi i have the same next-auth version and my project already deployed but whenever i deploy my project my entire cookie has domain error. But if i try in local everything is perfect and i cant find anything about "auth.js cookie domain settings" documents or something like that do you have the same issue

how can i solved this issue can you help me?