next-auth: Signout does not logout user when session is being requested simultaneously
Environment
System:
OS: macOS 12.3.1
CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
Memory: 1.18 GB / 32.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 14.17.0 - ~/.nvm/versions/node/v14.17.0/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 8.5.5 - ~/.nvm/versions/node/v14.17.0/bin/npm
Watchman: 2022.03.21.00 - /usr/local/bin/watchman
Browsers:
Chrome: 101.0.4951.64
Edge: 101.0.1210.53
Firefox: 100.0.2
Safari: 15.4
npmPackages:
next: ^12.0.11-canary.4 => 12.1.6
next-auth: latest => 4.3.4
react: ^17.0.2 => 17.0.2
Reproduction URL
https://next-auth-example.vercel.app
Describe the issue
Using signOut() with multiple tabs open I discovered that sometimes the user was not getting logged out. While the /session call initially returns an empty object subsequent calls would return the user’s session again failing to log out the user. This was happening because on logout my application would redirect to a specific logout page where we check if the user is authenticated by calling /session that was authenticating the user again. This is reproducible on the official example as well if we reload one of the tabs after calling sign out from the other.
How to reproduce
I reproduced the issue with the official next-auth-example project. Steps to reproduce:
- Open the example project in two different tabs.
- Log in to the app.
- Sign out of the app then immediately switch to the other tab and reload the page.
Current behavior:
The signout endpoint responds with a 200 status however the session is not cleared and the user is still logged in.
Video:
Expected behavior
The user should be logged out or the /signout API should respond with an error code.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 10
- Comments: 32 (4 by maintainers)
Up with this.
This seems to only happen on our prod when multiple requests are firing at once. The
signOutdoesn’t work as intended and only refreshes the page(without logging out the user)Solution:
GET/logoutendpoint of the provider to destroy user’s sessionsignOut()to clear session cookies, only if step 1 was successfulfor more details: https://stackoverflow.com/a/75484849/12581494
I had a similar issue with this while using the Keycloak provider. Next auth was clearing the session on the browser side, but not on the Keycloak server itself. The fix I implemented was to await the signOut function of next auth and use a callbackUrl to a signout page I created that calls the end session endpoint of Keycloak and redirects back to the website itself.
await signOut({ callbackUrl: "/api/auth/logout", });And then pages/api/auth/logout.ts
export default (req, res) => { const url = process.env.REDIRECT_URL; res.redirect(url); }Hi @ben-walcutt ,
Not related to the issue but there is a better approach on your problem by adding it on next-auth’s event(https://next-auth.js.org/configuration/events#signout)
It’ll be called after triggering
signOutcan i ask add what here?
This issue still occurs, happens to me if there are more than 3 tabs open simultaneously. The user will logout and right be logged in again, the session status going from
loadingtounauthenticatedtoauthenticated.Not sure why but on production after the provider logs out the user from their service and redirects back to our web app - the session will not clear even if signOut from NextAuth is called on the client side.
NextAuth + Azure AD Provider
It is true.
Exact same thing that @sulaimanwebdev commented out is happening to me as well.
update: When there are multiple tabs open with the same user login the logout function don’t work, it only works when single tab is opened. I think this is a major issue Auth.js/Next-Auth should check it.
I’ve resolve this issue with the following solution:
Same issue with FusionAuth here… Any ideas?
I am still having this issue, signOut does not delete the session. How can I delete the session by myself?