nuxt-modules
session send to other user
I cannot reproduce it. I already opened a bug about it but got closed. I don't know what to do anymore. Sometimes a user gets logged in with other users account. It happens around 1 time a week. I already let my code check by the latest ai bots etc. I cant find anything about it. My config:
I dont use any other auth middleware besides this. It can not be the login function because it happens even when user is already logged in and did not pas the check otp or login page. There must be something wrong in the plugin somehwere. I do use vercel. Now my last resort i have set no cache on all api's
could this not be the edge case? Instead of getsession use getuser? As recommended in supabase docs.
SSR is on. The website itself is https://foodtrucksenzo.nl/. It's not public but I could invite you to see the code. Thanks!
oke it happened again. My co-worker got logged in as another user. In the logs i don't see anything. I don't use user = supabase outside eventhandler. I don't use getuser, or getsession anywhere. I asked claud etc to check nothing comes out. I just use nuxt.config for setting protected route. The only thing i sometimes see is a warning from supabase about using getsession instead of getuser. but thats it.
Oke i am almost 100% certain that it is caused by isr cache. It gives the issue on both netlify and vercel. I disabled the cache and no issue anymore.
// "/": { isr: 60 }, // "/foodtrucks": { isr: 60 }, // "/foodtrucks/**": { isr: 60 }, // "/zo-werkt-het": { isr: 60 }, // "/open-aanvragen": { isr: 60 }, // "/over-ons": { isr: 60 }, // "/foodtruck-aanmelden": { isr: 60 }, // "/contact": { isr: 60 }, and
supabase: { redirect: true, redirectOptions: { login: "/account/inloggen", callback: "/confirm", include: ["/dashboard", "/dashboard/**"], exclude: [], }, It is hard to replicate. It happens randomly. I just open a not signed in homepage. And wait for couple hours. When another user then logs in and uses the application there is a change that all of a suden the not singedin user is signed in as that user.
Becides these auth rules i dont generate any other usersessions or auth changes.
this is almost always a caching issue, headers are not properly set
I understand. But I have no idea how to fix this. For now I don't use isr cache and it didnt happened after that. Or there other users that do use isr cache successfully with nuzt supabase module?
Hey @jlemonz were you using the @nuxtjs/supabase library by any chance?
Hey @jlemonz were you using the
@nuxtjs/supabaselibrary by any chance?
You mean this "@nuxtjs/supabase": "1.5.1",? i use that. Isn't that the package from the repo?
I haven't turned on isr cache anymore. And that solves the problem. I havent tried to replicate it yet in a clean project.. What i could do in my project is just turn on isr cache. login in. And open the website on another pc and just wait a couple hours. All of a sudden i am logged in as the user from the other computer.
We're experiencing the same issue on Vercel Edge with Nuxt 4.1.3 + @nuxtjs/supabase 2.0.1.
What happened:
- Enabled ISR on landing pages only (
/,/blog/**, legal pages) - Within 24 hours: 2 users reported signing in and getting access to a different user's account
- They sent screenshots & screen recordings confirming they saw someone else's data
The confusing part:
We only enabled ISR for public landing pages. The session mixup occurred on /app/** routes which have ssr: false. It seems like enabling ISR anywhere affects the entire app.
Temporary fix: Disabled ISR completely for now.
Any idea what this could be about? Would be great to be able to use ISR.
I'm not familiar with Vercel's ISR, but a super quick google makes it sound like, as others stated, it's a cache issue. Is there a way to modify the headers to include the userid or something unique to ensure that they only receive their cached content?
Nitro uses cached keys for this purpose.
I never fixed it. I just stopped using isr cache with supabase users. There is no doc about how to prevent that logged in users there pages and headers get cached> I'm not familiar with Vercel's ISR, but a super quick google makes it sound like, as others stated, it's a cache issue. Is there a way to modify the headers to include the userid or something unique to ensure that they only receive their cached content?
Nitro uses cached keys for this purpose.
I just looked into this a little more this morning. It does appear that you shouldn't use ISR on any pages of an authenticated site as it can cause cookie leakage. Best to just disable it in the nuxt.config.ts.
But how does WordPress do it then for example? but can also have server cache. There is no issue with leaking user headers. How can it not be possible to set somewhere to not cache an page if it's an with auth headers> I just looked into this a little more this morning. It does appear that you shouldn't use ISR on any pages of an authenticated site as it can cause cookie leakage. Best to just disable it in the nuxt.config.ts.
I'm not sure how WP does it either, but I know that on my instances I don't cache the response. I cache the API data on the Nitro server since that's the link in the chain on my end that is slower. I specify the user/team in the cache key so that there's no leakage.
Again, I'm not familiar with Vercel and ISR. I just created a project and was able to duplicate the same issue as you. Disabling it all does prevent the issue.
Honestly, I don't know how you could cache HTML data and not prevent leakage. You'd have to have it be a template and hydrate the changes at the client level I'd assume.