Environment
System:
OS: macOS 14.7.1
CPU: (14) arm64 Apple M3 Max
Memory: 74.95 MB / 36.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.18.0 - ~/.nvm/versions/node/v22.18.0/bin/node
Yarn: 1.22.22 - ~/.nvm/versions/node/v22.18.0/bin/yarn
npm: 10.9.3 - ~/.nvm/versions/node/v22.18.0/bin/npm
pnpm: 9.15.4 - ~/.nvm/versions/node/v22.18.0/bin/pnpm
Browsers:
Chrome: 140.0.7339.208
Safari: 18.1.1
npmPackages:
@auth/unstorage-adapter: ^2.0.0 => 2.10.0
next: latest => 15.5.4
next-auth: beta => 5.0.0-beta.29
react: ^18.2.0 => 18.3.1
Reproduction URL
https://github.com/plaa/next-auth-updateAge-bug
Describe the issue
When using the JWT strategy, the session token cookie is updated on every single request. This is extremely wasteful, especially if the token contains more information than the minimal JWT contents.
In our service the session token is about 3kB in size and single page load can involve 5-10 requests, meaning 15-30kB of unnecessary data is encrypted and sent to the browser per page. This is very wasteful from a Green IT perspective.
I expected that setting updateAge would fix the issue, and the token would only be updated when the token age exceeds that amount, but the code path for jwt completely ignores the property.
How to reproduce
Using the example repo (direct copy of example repo with only auth.ts updated):
- Start the app according to regular instructions (
pnpm install cp .env.local.example .env.local pnpm run dev)
- Open the page and sign in with any username
- View network panel while reloading the page
--> On every page load a ~2kB Set-Cookie header is present, even though the token is nowhere near expiry and updateAge: 5 * 60 is specified.
Expected behavior
The JWT token should be refreshed and set only every updateAge seconds.
To make this work correctly when maxAge is set, I propose the default updateAge value would be maxAge / 30, to make it relative to the maxAge expiry time, would be well sufficient to keep the session alive and is consistent with the current 30d / 1d defaults.
Environment
Reproduction URL
https://github.com/plaa/next-auth-updateAge-bug
Describe the issue
When using the JWT strategy, the session token cookie is updated on every single request. This is extremely wasteful, especially if the token contains more information than the minimal JWT contents.
In our service the session token is about 3kB in size and single page load can involve 5-10 requests, meaning 15-30kB of unnecessary data is encrypted and sent to the browser per page. This is very wasteful from a Green IT perspective.
I expected that setting
updateAgewould fix the issue, and the token would only be updated when the token age exceeds that amount, but the code path for jwt completely ignores the property.How to reproduce
Using the example repo (direct copy of example repo with only
auth.tsupdated):pnpm installcp .env.local.example .env.localpnpm run dev)--> On every page load a ~2kB
Set-Cookieheader is present, even though the token is nowhere near expiry andupdateAge: 5 * 60is specified.Expected behavior
The JWT token should be refreshed and set only every
updateAgeseconds.To make this work correctly when
maxAgeis set, I propose the defaultupdateAgevalue would bemaxAge / 30, to make it relative to themaxAgeexpiry time, would be well sufficient to keep the session alive and is consistent with the current 30d / 1d defaults.