JWT Session Security Issue With OAuth on Mac and Chrome Browser and My Fix

The issue is, user’s session stays alive even overnight when the Mac is closed. It just dos not expire as it should. User may think the session has been expired long ago but it is NOT and you are still logged in.

I have tracked down the reason for the session surviving overnight!

Why this matters, realistic risk story

You can include an example like:

• A user logs into your admin dashboard on a laptop at a café.

• They close the lid and assume the 1-hour expiry will protect them.

• Overnight the tab “keeps checking in” and continuously renews the session.

• Next morning, anyone with physical access to the laptop (or a shared family device) opens the lid and the user is still authenticated.

This is especially relevant for:

• admin panels

• ecommerce back offices

• tools that expose customer data / invoices / addresses

The AUTH_SESSION_MAX_AGE=3600 is actually configuring the NextAuth expiration specifically correctly, but here’s exactly what was happening:

The Phenomenon

1. NextAuth’s SessionProvider automatically utilizes refetchOnWindowFocus and refetchWhenOffline mechanisms to silently renew users’ sessions in the background.
2. An unexpected side effect of this applies to Mac and Chrome: if you leave a browser tab open while closing your laptop, Mac uses a feature called “Power Nap” to wake periodically.
3. Every time it wakes up, it re-establishes network connections, causing Chrome to fire online and `visibilitychange` events!
4. These events caused the NextAuth SessionProvider client to silently ping /api/auth/session in the background throughout the night, completely automatically.
5. Because the server config is set to “Sliding session via updateAge”, every background ping literally pushed your 1-hour expiration out by another hour. By the time you woke up in the morning, the token was still warm and valid from the last hidden background check!

How I Fixed It

To prevent background pinging from indefinitely bypassing your hard 1-hour inactivity timeout limit:

• I explicitly specified jwt: { maxAge: 3600 } in the auth.ts config to assure it behaves independently.
• I added refetchOnWindowFocus={false} to the “ wrapper in layout.tsx. This halts the background polling, meaning your session will ONLY be securely updated if you manually perform meaningful navigations.

Example NextJs:

<SessionProvider
   refetchOnWindowFocus={false}
   refetchWhenOffline={false}
   refetchInterval={0}
>
{children}
</SessionProvider>


Hurray! This means if you drop your computer and it sleeps, your session will now actually expire within the designated 60 minutes.

Hope it will help you when you will face this weird issue. (Looks weird until you figured this is the correct behaving, just specific to Mac and Chrome and better to know it).

Happy coding!

Zsolt Szalay