fix(session): prevent accidental deletion of legacy-named session cookie

nandan-bhat · web-flow · commit 31c2ce2d2f9f · 2025-05-23T21:16:45.000+05:30
diff --git a/src/server/session/stateful-session-store.test.ts b/src/server/session/stateful-session-store.test.ts
@@ -735,6 +735,42 @@ describe("Stateful Session Store", async () => {
 
       expect(responseCookies.delete).toHaveBeenCalledWith(LEGACY_COOKIE_NAME);
     });
+
+    it("should not delete the legacy cookie if session cookie name matches LEGACY_COOKIE_NAME", async () => {
+      const secret = await generateSecret(32);
+      const session: SessionData = {
+        user: { sub: "user_123" },
+        tokenSet: {
+          accessToken: "at_123",
+          refreshToken: "rt_123",
+          expiresAt: 123456
+        },
+        internal: {
+          sid: "auth0-sid",
+          createdAt: Math.floor(Date.now() / 1000)
+        }
+      };
+      const store = {
+        get: vi.fn(),
+        set: vi.fn(),
+        delete: vi.fn()
+      };
+
+      const requestCookies = new RequestCookies(new Headers());
+      const responseCookies = new ResponseCookies(new Headers());
+
+      // Pretend the legacy cookie is already present
+      vi.spyOn(requestCookies, "has").mockReturnValue(true);
+      const deleteSpy = vi.spyOn(responseCookies, "delete");
+      const sessionStore = new StatefulSessionStore({
+        secret,
+        store,
+        cookieOptions: { name: LEGACY_COOKIE_NAME } // 👈 simulate legacy name
+      });
+
+      await sessionStore.set(requestCookies, responseCookies, session);
+      expect(deleteSpy).not.toHaveBeenCalled();
+    });
   });
 
   describe("delete", async () => {
diff --git a/src/server/session/stateful-session-store.ts b/src/server/session/stateful-session-store.ts
@@ -152,7 +152,10 @@ export class StatefulSessionStore extends AbstractSessionStore {
 
     // Any existing v3 cookie can also be deleted once we have set a v4 cookie.
     // In stateful sessions, we do not have to worry about chunking.
-    if (reqCookies.has(LEGACY_COOKIE_NAME)) {
+    if (
+      this.sessionCookieName !== LEGACY_COOKIE_NAME &&
+      reqCookies.has(LEGACY_COOKIE_NAME)
+    ) {
       resCookies.delete(LEGACY_COOKIE_NAME);
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,10 @@ export class StatefulSessionStore extends AbstractSessionStore {`
`152`	`152`
`153`	`153`	`// Any existing v3 cookie can also be deleted once we have set a v4 cookie.`
`154`	`154`	`// In stateful sessions, we do not have to worry about chunking.`
`155`		`- if (reqCookies.has(LEGACY_COOKIE_NAME)) {`
	`155`	`+ if (`
	`156`	`+ this.sessionCookieName !== LEGACY_COOKIE_NAME &&`
	`157`	`+ reqCookies.has(LEGACY_COOKIE_NAME)`
	`158`	`+ ) {`
`156`	`159`	`resCookies.delete(LEGACY_COOKIE_NAME);`
`157`	`160`	`}`
`158`	`161`	`}`