session send to other user

[jlemonz]

I cannot reproduce it. I already opened a bug about it but got closed. I don't know what to do anymore. Sometimes a user gets logged in with other users account. It happens around 1 time a week. I already let my code check by the latest ai bots etc. I cant find anything about it. My config:

I dont use any other auth middleware besides this. It can not be the login function because it happens even when user is already logged in and did not pas the check otp or login page. There must be something wrong in the plugin somehwere. I do use vercel. Now my last resort i have set no cache on all api's

[jlemonz]

could this not be the edge case? Instead of getsession use getuser? As recommended in supabase docs.

[Revadike]

Is SSR on or off? Is your project public by any chance?

[jlemonz]

SSR is on. The website itself is https://foodtrucksenzo.nl/. It's not public but I could invite you to see the code. Thanks!

[jlemonz]

oke it happened again. My co-worker got logged in as another user. In the logs i don't see anything. I don't use user = supabase outside eventhandler. I don't use getuser, or getsession anywhere. I asked claud etc to check nothing comes out. I just use nuxt.config for setting protected route. The only thing i sometimes see is a warning from supabase about using getsession instead of getuser. but thats it.

[jlemonz]

Oke i am almost 100% certain that it is caused by isr cache. It gives the issue on both netlify and vercel. I disabled the cache and no issue anymore.

// "/": { isr: 60 },
// "/foodtrucks": { isr: 60 },
// "/foodtrucks/**": { isr: 60 },
// "/zo-werkt-het": { isr: 60 },
// "/open-aanvragen": { isr: 60 },
// "/over-ons": { isr: 60 },
// "/foodtruck-aanmelden": { isr: 60 },
// "/contact": { isr: 60 },
and

supabase: {
redirect: true,
redirectOptions: {
login: "/account/inloggen",
callback: "/confirm",
include: ["/dashboard", "/dashboard/**"],
exclude: [],
},
It is hard to replicate. It happens randomly. I just open a not signed in homepage. And wait for couple hours. When another user then logs in and uses the application there is a change that all of a suden the not singedin user is signed in as that user.

Becides these auth rules i dont generate any other usersessions or auth changes.

[thebadking]

this is almost always a caching issue, headers are not properly set

[jlemonz]

this is almost always a caching issue, headers are not properly set

I understand. But I have no idea how to fix this. For now I don't use isr cache and it didnt happened after that. Or there other users that do use isr cache successfully with nuzt supabase module?

[hectorg2211]

Hey @jlemonz were you using the @nuxtjs/supabase library by any chance?

[jlemonz]

Hey @jlemonz were you using the @nuxtjs/supabase library by any chance?

You mean this "@nuxtjs/supabase": "1.5.1",? i use that. Isn't that the package from the repo?

I haven't turned on isr cache anymore. And that solves the problem. I havent tried to replicate it yet in a clean project.. What i could do in my project is just turn on isr cache. login in. And open the website on another pc and just wait a couple hours. All of a sudden i am logged in as the user from the other computer.

[felixgabler]

We're experiencing the same issue on Vercel Edge with Nuxt 4.1.3 + @nuxtjs/supabase 2.0.1.

What happened:

• Enabled ISR on landing pages only (/, /blog/**, legal pages)
• Within 24 hours: 2 users reported signing in and getting access to a different user's account
• They sent screenshots & screen recordings confirming they saw someone else's data

The confusing part:
We only enabled ISR for public landing pages. The session mixup occurred on /app/** routes which have ssr: false. It seems like enabling ISR anywhere affects the entire app.

Temporary fix:
Disabled ISR completely for now.

Any idea what this could be about? Would be great to be able to use ISR.