Skip to content

fix(auth): restrict non-secure cookie fallback to development environment#3171

Open
nyxsky404 wants to merge 2 commits into
Priyanshu-byte-coder:mainfrom
nyxsky404:fix/secure-cookie-fallback
Open

fix(auth): restrict non-secure cookie fallback to development environment#3171
nyxsky404 wants to merge 2 commits into
Priyanshu-byte-coder:mainfrom
nyxsky404:fix/secure-cookie-fallback

Conversation

@nyxsky404

Copy link
Copy Markdown
Contributor

This PR removes the fallback to the non-secure next-auth.session-token in production environments. Previously, if the __Secure-next-auth.session-token was missing in production, the middleware would attempt to read the insecure cookie by explicitly setting secureCookie: false. This introduces a severe Session Hijacking vulnerability via Cookie Tossing, allowing attackers to inject insecure session cookies on production instances. The fallback is now strictly limited to development environments, ensuring production requests without the secure cookie are appropriately treated as unauthenticated. Fixes #3167.

@github-actions github-actions Bot added gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:security GSSoC type bonus: security (+20 pts) type:performance GSSoC type bonus: performance (+15 pts) labels Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

@nyxsky404 nyxsky404 force-pushed the fix/secure-cookie-fallback branch from d57fa3c to 7567504 Compare July 8, 2026 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Session Hijacking via Production Secure Cookie Downgrade Fallback

1 participant