Page Refresh On Chrome Invalidates session

[ogomaemmanuel]

Environment

Chrome Browser
Moc Os Ventura

Reproduction

nuxt config

export default defineNuxtConfig({
  modules: ['@sidebase/nuxt-auth','@sidebase/nuxt-session'],
  css: ['~/assets/css/main.css'],
  auth:{
    origin: "http://localhost:3000",
    enableGlobalAppMiddleware: false
  },
  devtools: { enabled: true },
  proxy:{
    "/api/v1": {
      target: process.env.BASEURL,
      pathRewrite: { "^/api/v1": "/api/v1" },
      changeOrigin: true
    }
  }
})```

###NuxtAuthHandler

 pages:{
    signIn: '/login',

},

secret: process.env.AUTH_SECRET,
providers: [
    GithubProvider.default({
        clientId: process.env.GITHUB_CLIENT_ID as string,
        clientSecret: process.env.GITHUB_CLIENT_SECRET as string
    }),
    AzureADProvider.default({
        clientId: process.env.AZURE_AD_CLIENT_ID as string,
        clientSecret: process.env.AZURE_AD_CLIENT_SECRET as string,
        tenantId: process.env.AZURE_AD_TENANT_ID as string,
        authorization: {
            params: {
                scope: "openid email profile offline_access api://53ccb2bf-aba5-40cb-9155-52027f83fa66/Idtp.Admin"
            }
        },
    })
],
callbacks: {
    async jwt({ token, account, profile }) {
        console.log(profile);
        // Persist the access_token in the encrypted JWT.
        if (account && profile) {
            token.accessToken = account.access_token;
            token.accessTokenExpires = account.expires_at * 1000;
            token.refreshToken = account.refresh_token;
        }
        if (Date.now() < token.accessTokenExpires) {
            return token;
        }
        return refreshAccessToken(token);
    },
    async redirect({ url, baseUrl }) {
        return baseUrl
    },
    async session({ session, token }) {
        // Make access token available on the client.
        session.accessToken = token.accessToken;
        return session;
    },
},

### Describe the bug

When You have successfully logged in , when you refresh your browser tab in chrome, the session get invalidated and your are redirected back to login page. On Safaric browser , this does not happen

### Additional context

_No response_

### Logs

_No response_

[borutkitak]

Do we have any updates on this? I'm experiencing a similar problem where the user is logged out upon page refresh, regardless of the browser used. Interestingly, it functions correctly when executed on localhost.

Update: It appears that the user is automatically logged back in after approximately 30 seconds.

[shm0x]

Do we have any updates on this? I'm experiencing a similar problem where the user is logged out upon page refresh, regardless of the browser used. Interestingly, it functions correctly when executed on localhost.

Update: It appears that the user is automatically logged back in after approximately 30 seconds.

Same problem here, works on localhost, not with domains, it remove cookie on refresh and so logs user out

[minhphuc429]

I have the same problem when deploying to production. When refreshing the browser, the cookie is destroyed and logs the user out.

[christianlmc]

I have this issue too and I found out the cause.

When we attach the access_token and/or refresh_token to the session, it gets stored in the cookies, but since those tokens are too large, they get split into 2 (or more) different cookies.

Screenshot of the Application/Cookies tab on chrome:

I don't really know the internals of how this works, but when session-token is splitted like that, it causes the error we are all experiencing. I'm also getting a JWE Initialization Vector missing or incorrect type on the server logs.

If you don't attaching the JWT into the session, it should work even after page refresh.

I'm trying to find workarounds (or better yet, a fix) to this, but no luck so far. I'll comment here again if I find anything

There is another issue related to this: #293

[zoey-kaiser]

I will close this issue in favor of #293.
Please refer to it, for future updates about this issue!