feat: support browser-session cookies for the session token cookie

[chanceaclark]

Context

There's a class of apps — particularly those with strict GDPR compliance requirements — that need the session-token cookie to be a browser-session cookie (no Expires/Max-Age).

Under GDPR and the ePrivacy Directive, strictly necessary cookies are exempt from consent requirements. Authentication cookies typically qualify. However, compliance teams and some European DPAs expect "strictly necessary" to also mean minimally scoped — and a persistent cookie with a 30-day Expires attribute is harder to defend as "strictly necessary" than one that disappears when the browser closes. The data minimization principle (Article 5(1)(c)) pushes in the same direction: don't retain longer than needed, and a browser session is often the right scope for an auth token.

This also comes up outside of GDPR — banking and government applications commonly prohibit persistent auth cookies by policy, and enterprise SSO setups sometimes require the auth cookie lifetime to be session-scoped even when the underlying token has a longer validity window.

Right now there's no first-class way to get this behavior from Auth.js. Apps that need it have to strip Expires/Max-Age out of the Set-Cookie header after Auth.js writes it. That means intercepting in middleware, in route handlers, and around signIn/updateSession — which write cookies via the framework's cookies() API rather than response headers, so they need a separate interception path. It's fragile, it depends on internal cookie names, and it breaks silently across upgrades.

Two reasonable places to put the config knob

Option A: session.maxAge: null

Auth({
  session: { maxAge: null }
})

The problem here is that session.maxAge drives two separate things: the cookie's Expires attribute and the JWT exp claim (or the DB session expiry column). There's no such thing as a "session-scoped JWT" — jose's EncryptJWT requires an exp claim. So null would need to mean "no cookie expiry, but still use some fallback for exp", which conflates two concerns in one option. It's a little muddy.

Option B: cookies.sessionToken.options.maxAge: null (I think this is the right call)

Auth({
  cookies: {
    sessionToken: {
      options: { maxAge: null }
    }
  }
})

This keeps the concerns separate. session.maxAge keeps controlling JWT exp and DB session expiry unchanged. The cookie config controls the cookie transport layer. Setting maxAge: null on the session token cookie means "omit Expires and Max-Age" — the existing cookies config already lets you customize the session token cookie, this just adds null as a valid value to signal a browser-session cookie.

The caveats worth documenting:

• session.maxAge still enforces expiry via JWT exp (default 30 days). The session will become invalid after that window even if the browser never closed. That's actually correct behavior — it's the enforcement layer.
• Chromium restores session cookies on restart, so "gone on browser close" is a browser hint, not a hard guarantee. JWT exp is the real enforcement.
• For DB strategy, the expires column is unaffected. The DB row still expires after session.maxAge. The cookie just becomes session-scoped.

I've got a PoC branch implementing Option B if it'd be useful as a reference: https://github.com/chanceaclark/next-auth/tree/feat/session-cookie-maxage-null

Happy to open a PR against this once y'all weigh in on the API surface. Totally open to a different shape if there's a better place for it.

[github-actions]

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository. Example: (NextAuth.js example repository).

The bug template that you filled out has a section called "Reproduction URL", which is where you should provide the link to the reproduction.

• If you did not provide a link or the link you provided is not hosted on github.com outside of the next-auth organization, we will close the issue.
• If you provide a link to a private repository, we will close the issue.
• If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

• If you did not provide a link hosted on github.com outside of the next-auth organization, please open a new issue with a link to such a reproduction.
• If you provided a link to a private repository, please open a new issue with a link to a public repository.
• If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

• Remove any code that is not related to the issue. (pages, API Routes, components, etc.)
• Remove any dependencies that are not related to the issue.
• Remove any third-party service that would require us to sign up for an account to reproduce the issue.
• Remove any environment variables that are not related to the issue.
• Remove private packages that we do not have access to.
• If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every issue and monitor open issues for new comments.

However, sometimes we might miss a few due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

• How to create a Minimal, Complete, and Verifiable example
• Bug report: Framework
• Bug report: Provider
• Bug report: Adapter