Open
Description
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
The supabase/ssr
method createServerClient
ignores cookieOptions
property maxAge
. Not only that but the config.toml
property jwt_expiry
is also ignored when setting the auth cookie expiry. So we get cookies set with Expires / Max-Age
of about 1 year. I have a Next.js app where this is observed.
To Reproduce
- Open
config.toml
, set thejwt_expiry
to a low value, e.g.,300
(5min) - Initiate a supabase server client with vanilla config found in docs:
https://supabase.com/docs/guides/auth/server-side/creating-a-client - Add
cokieOptions
object with themaxAge
property in the server client config object with a low value, e.g.,300.
. - From client side initiate a request to an endpoint that handles server side auth. Use one of the sign-in options like
signInAnonymousley()
orsignInWithPassword()
on the server side. - Inspect set auth cookie in your browsers dev tools - the Max Age / Expiry of the cookie is set to be around 1 year, which does not match configuration in the
cookieOptions
or theconfig.toml
.
I observed this issue in my supabase server client utility function:
import { createServerClient, type CookieOptions } from '@supabase/ssr';
import { Database } from '@/lib/types/supabase';
import { cookies } from 'next/headers';
export default function supabaseServerClient() {
const cookieStore = cookies();
return createServerClient<Database>(
process.env.NEXT_PUBLIC_SUPABASE_API_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookieOptions: {
// The maxAge property I would expect to be used in setting the cookie expiry and overriding the config.toml config value.
maxAge: 300,
},
cookies: {
getAll() {
return cookieStore.getAll();
},
setAll(cookiesToSet) {
try {
cookiesToSet.forEach(({ name, value, options }) => {
console.log('_@ OPTIONS', options);
// The maxAge is not matching the maxAge set in cookieOptions. Nor is it matching the value in the config.toml
// _@ OPTIONS {
// path: '/',
// sameSite: 'lax',
// httpOnly: false,
// maxAge: 31536000000,
// expires: 2024-07-14T17:11:04.968Z
// }
return cookieStore.set(name, value, options);
});
} catch {}
},
},
},
);
}
Expected behavior
The set cookie has an expiry matching the jwt_expiry
field in config.toml
or is overriden and matches the maxAge
property set in the createServerClient
config cookieOptions
.
Screenshots

System information
- OS: macOS
- Browser: Chrome
- Version of supabase-js: v2.38.4
- Version supabase/ssr: v0.4.0
- Version of Node.js: v20.9.0
Additional context
Using Next.js 14.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
No status