iron-session: `req.session.destroy()` does not remove cookies with the latest version of NextJS when hosting on Vercel

Hi, I have come across a very annoying bug recently. If you upgrade nextjs to the latest version, which is 10.0.3, and deploy the application on Vercel, the method req.session.destroy() does not remove the cookies.

Here is a repo to reproduce this issue, it’s just a redeployment of the next-icon-session’s nextjs example but with nextjs upgraded to 10.0.3.

Steps to reproduce:

login
logout (first time it will succeed with a 200 return)
login again
logout (this time it will fail to remove the cookie with a 304 return)

next-iron-session’s nextjs example:

1607513150016

after upgrading nextjs to 10.0.3:

1607513145304

Additional information: This issue only happens when deploying on vercel, it works correctly when I run it locally.

Edit: After downgrading nextjs to 10.0.0, it works correcly on vercel.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 17 (7 by maintainers)

Commits related to this issue

docs(examples): advise using POST when destroy() is used Before this commit, our examples were showcasing the use of GET /logout. And /logout would then session.destroy(). But GET requests can be cac... — committed to vvo/iron-session by vvo 4 years ago

Most upvoted comments

@dpyzo0o I just updated the next-iron-session repository and now recommend another solution: just make sure to call any route that uses destroy via a POST request. Most proxies and browsers (100%?) will never cache POST requests unless badly or weirdly configured.

The two solutions have the same effect, but using POST for logout is more common practice I think.

Thanks!

vvo on Dec 9, 2020

The problem is not solved yet?!

UPDATE: the request should be POST to solve the problem.

behzad-ahmadi on Mar 6, 2023

Changing my endpoint to POST seems to have fixed it now

elie222 on Jul 28, 2022