fix(security): prevent CDN caching of session responses by validating __session Set-Cookie

Author: nandan-bhat

src/server/auth-client.ts

@@ -32,6 +32,7 @@ import {
   removeTrailingSlash
 } from "../utils/pathUtils";
 import { toSafeRedirect } from "../utils/url-helpers";
+import { addCacheControlHeadersForSession } from "./cookies";
 import { AbstractSessionStore } from "./session/abstract-session-store";
 import { TransactionState, TransactionStore } from "./transaction-store";
 import { filterClaims } from "./user";
@@ -296,6 +297,7 @@ export class AuthClient {
         await this.sessionStore.set(req.cookies, res.cookies, {
           ...session
         });
+        addCacheControlHeadersForSession(res);
       }
 
       return res;
@@ -441,6 +443,7 @@ export class AuthClient {
 
     const res = NextResponse.redirect(url);
     await this.sessionStore.delete(req.cookies, res.cookies);
+    addCacheControlHeadersForSession(res);
 
     // Clear any orphaned transaction cookies
     await this.transactionStore.deleteAll(req.cookies, res.cookies);
@@ -567,6 +570,7 @@ export class AuthClient {
     }
 
     await this.sessionStore.set(req.cookies, res.cookies, session, true);
+    addCacheControlHeadersForSession(res);
     await this.transactionStore.delete(res.cookies, state);
 
     return res;
@@ -580,8 +584,9 @@ export class AuthClient {
         status: 401
       });
     }
-
-    return NextResponse.json(session?.user);
+    const res = NextResponse.json(session?.user);
+    addCacheControlHeadersForSession(res);
+    return res;
   }
 
   async handleAccessToken(req: NextRequest): Promise<NextResponse> {
@@ -631,6 +636,7 @@ export class AuthClient {
         ...session,
         tokenSet: updatedTokenSet
       });
+      addCacheControlHeadersForSession(res);
     }
 
     return res;

src/server/cookies.test.ts

@@ -1,7 +1,8 @@
+import { NextResponse } from "next/server";
 import { describe, expect, it } from "vitest";
 
 import { generateSecret } from "../test/utils";
-import { decrypt, encrypt } from "./cookies";
+import { addCacheControlHeadersForSession, decrypt, encrypt } from "./cookies";
 
 describe("encrypt/decrypt", async () => {
   const secret = await generateSecret(32);
@@ -53,3 +54,58 @@ describe("encrypt/decrypt", async () => {
     await expect(() => decrypt(encrypted, "")).rejects.toThrowError();
   });
 });
+
+describe("addCacheControlHeadersForSession", () => {
+  it("adds cache headers if __session cookie has a future Date expiry", () => {
+    const res = NextResponse.next();
+    const futureDate = new Date(Date.now() + 60_000); // 1 minute in the future
+
+    res.cookies.set("__session", "dummy", { expires: futureDate });
+    addCacheControlHeadersForSession(res);
+
+    expect(res.headers.get("Cache-Control")).toBe(
+      "private, no-cache, no-store, must-revalidate, max-age=0"
+    );
+    expect(res.headers.get("Pragma")).toBe("no-cache");
+    expect(res.headers.get("Expires")).toBe("0");
+  });
+
+  it("does NOT add headers if __session cookie is missing", () => {
+    const res = NextResponse.next();
+
+    addCacheControlHeadersForSession(res);
+    expect(res.headers.get("Cache-Control")).toBeNull();
+    expect(res.headers.get("Pragma")).toBeNull();
+    expect(res.headers.get("Expires")).toBeNull();
+  });
+
+  it("does NOT add headers if __session cookie is expired", () => {
+    const res = NextResponse.next();
+    const pastDate = new Date(Date.now() - 60_000); // 1 minute in the past
+
+    res.cookies.set("__session", "dummy", { expires: pastDate });
+    addCacheControlHeadersForSession(res);
+
+    expect(res.headers.get("Cache-Control")).toBeNull();
+  });
+
+  it("does NOT add headers if __session cookie has no value", () => {
+    const res = NextResponse.next();
+    const futureDate = new Date(Date.now() + 60_000);
+
+    // setting an empty value simulates a session cookie being cleared
+    res.cookies.set("__session", "", { expires: futureDate });
+    addCacheControlHeadersForSession(res);
+
+    expect(res.headers.get("Cache-Control")).toBeNull();
+  });
+
+  it("does NOT add headers if __session cookie has no expires field", () => {
+    const res = NextResponse.next();
+
+    res.cookies.set("__session", "dummy"); // no `expires`
+    addCacheControlHeadersForSession(res);
+
+    expect(res.headers.get("Cache-Control")).toBeNull();
+  });
+});

src/server/cookies.ts

@@ -1,3 +1,4 @@
+import { NextResponse } from "next/server";
 import {
   RequestCookie,
   RequestCookies,
@@ -329,3 +330,39 @@ export function deleteChunkedCookie(
     resCookies.delete(cookie.name); // Delete each filtered cookie
   });
 }
+
+/**
+ * Returns true if the cookie's `expires` field represents a future time.
+ * Handles both Date objects and numeric UNIX timestamps.
+ */
+function isValidFutureExpiry(expires: Date | number): boolean {
+  const now = Date.now();
+  return typeof expires === "number"
+    ? expires * 1000 > now
+    : expires instanceof Date && expires.getTime() > now;
+}
+
+/**
+ * Adds strict cache-control headers to prevent shared CDN caching of
+ * responses that contain a valid `Set-Cookie: __session`.
+ *
+ * Only applies headers if a future-expiring `__session` cookie is present
+ * in the response — avoiding overly aggressive cache disabling.
+ */
+export function addCacheControlHeadersForSession(res: NextResponse): void {
+  const sessionCookie = res.cookies.get("__session");
+
+  const isFreshCookie =
+    sessionCookie?.value &&
+    sessionCookie?.expires &&
+    isValidFutureExpiry(sessionCookie.expires);
+
+  if (isFreshCookie) {
+    res.headers.set(
+      "Cache-Control",
+      "private, no-cache, no-store, must-revalidate, max-age=0"
+    );
+    res.headers.set("Pragma", "no-cache");
+    res.headers.set("Expires", "0");
+  }
+}