Bug Description
The Next.js middleware is designed to parse the NextAuth session token to protect routes. In production (isProduction === true), NextAuth strictly sets the __Secure-next-auth.session-token cookie. However, the middleware contains a hardcoded fallback: if the secure cookie is missing, it explicitly flips secureCookie: false and attempts to read the non-secure next-auth.session-token.
Because of this fallback, the production app will accept the insecure session, completely bypassing the __Secure- prefix protections. This allows full session hijacking if an attacker intercepts an insecure connection or performs a "Cookie Tossing" attack from a subdomain to inject a next-auth.session-token.
Steps to Reproduce
- Deploy the application to a production environment.
- Intercept or simulate a request to a protected route (e.g.
/dashboard).
- Omit the
__Secure-next-auth.session-token cookie, but inject a valid (stolen or tossed) next-auth.session-token cookie.
- Observe that the middleware successfully authorizes the request, bypassing the secure cookie requirement.
Affected Area
Authentication / Sign-in
Screenshots
No response
Browser & OS
No response
Environment
Production (devtrack.site)
Additional Context
Suggested Fix:
- Remove the fallback block completely in production.
- If
process.env.NODE_ENV === "production" and the __Secure- token is missing, the request must instantly be treated as unauthenticated.
- Restrict non-secure cookie parsing strictly to local development environments.
Bug Description
The Next.js middleware is designed to parse the NextAuth session token to protect routes. In production (
isProduction === true), NextAuth strictly sets the__Secure-next-auth.session-tokencookie. However, the middleware contains a hardcoded fallback: if the secure cookie is missing, it explicitly flipssecureCookie: falseand attempts to read the non-securenext-auth.session-token.Because of this fallback, the production app will accept the insecure session, completely bypassing the
__Secure-prefix protections. This allows full session hijacking if an attacker intercepts an insecure connection or performs a "Cookie Tossing" attack from a subdomain to inject anext-auth.session-token.Steps to Reproduce
/dashboard).__Secure-next-auth.session-tokencookie, but inject a valid (stolen or tossed)next-auth.session-tokencookie.Affected Area
Authentication / Sign-in
Screenshots
No response
Browser & OS
No response
Environment
Production (devtrack.site)
Additional Context
Suggested Fix:
process.env.NODE_ENV === "production"and the__Secure-token is missing, the request must instantly be treated as unauthenticated.