Skip to content

[BUG] Session Hijacking via Production Secure Cookie Downgrade Fallback #3167

Description

@nyxsky404

Bug Description

The Next.js middleware is designed to parse the NextAuth session token to protect routes. In production (isProduction === true), NextAuth strictly sets the __Secure-next-auth.session-token cookie. However, the middleware contains a hardcoded fallback: if the secure cookie is missing, it explicitly flips secureCookie: false and attempts to read the non-secure next-auth.session-token.

Because of this fallback, the production app will accept the insecure session, completely bypassing the __Secure- prefix protections. This allows full session hijacking if an attacker intercepts an insecure connection or performs a "Cookie Tossing" attack from a subdomain to inject a next-auth.session-token.

Steps to Reproduce

  1. Deploy the application to a production environment.
  2. Intercept or simulate a request to a protected route (e.g. /dashboard).
  3. Omit the __Secure-next-auth.session-token cookie, but inject a valid (stolen or tossed) next-auth.session-token cookie.
  4. Observe that the middleware successfully authorizes the request, bypassing the secure cookie requirement.

Affected Area

Authentication / Sign-in

Screenshots

No response

Browser & OS

No response

Environment

Production (devtrack.site)

Additional Context

Suggested Fix:

  1. Remove the fallback block completely in production.
  2. If process.env.NODE_ENV === "production" and the __Secure- token is missing, the request must instantly be treated as unauthenticated.
  3. Restrict non-secure cookie parsing strictly to local development environments.

Metadata

Metadata

Assignees

Labels

gssoc:assignedGSSoC: Issue assigned to a contributor

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions