Clusterify.AI
© 2025 All Rights Reserved, Clusterify Solutions FZCO
JWT Session Security Issue With OAuth on Mac and Chrome Browser and My Fix
Mastering Chatbot Psychology For Maximum ROI
Transforming Chatbot Aesthetics Into A Powerful Revenue Engine
Mastering Chatbot Widget Performance Without Compromising Security
We Wish You Marry Christmas
Security Vulnerability in React Server Components – UPDATE NOW

The issue is, user’s session stays alive even overnight when the Mac is closed. It just dos not expire as it should. User may think the session has been expired long ago but it is NOT and you are still logged in.
I have tracked down the reason for the session surviving overnight!
You can include an example like:
A user logs into your admin dashboard on a laptop at a café.
They close the lid and assume the 1-hour expiry will protect them.
Overnight the tab “keeps checking in” and continuously renews the session.
Next morning, anyone with physical access to the laptop (or a shared family device) opens the lid and the user is still authenticated.
This is especially relevant for:
admin panels
ecommerce back offices
tools that expose customer data / invoices / addresses
The AUTH_SESSION_MAX_AGE=3600 is actually configuring the NextAuth expiration specifically correctly, but here’s exactly what was happening:
To prevent background pinging from indefinitely bypassing your hard 1-hour inactivity timeout limit:
jwt: { maxAge: 3600 } in the auth.ts config to assure it behaves independently.refetchOnWindowFocus={false} to the “ wrapper in layout.tsx. This halts the background polling, meaning your session will ONLY be securely updated if you manually perform meaningful navigations.Example NextJs:
<SessionProvider
refetchOnWindowFocus={false}
refetchWhenOffline={false}
refetchInterval={0}
>
{children}
</SessionProvider>
Hurray! This means if you drop your computer and it sleeps, your session will now actually expire within the designated 60 minutes.
Hope it will help you when you will face this weird issue. (Looks weird until you figured this is the correct behaving, just specific to Mac and Chrome and better to know it).
Happy coding!
Zsolt Szalay