Why does my login work but the dashboard still shows "please log in"?

Classic race condition. Your login succeeds and sets a session cookie, but when the browser requests `/dashboard`, the server hasn't seen the cookie yet. The server renders "not authenticated" HTML, then the client hydrates with that same state.

My auth works locally but breaks in production - what's wrong with my cookies?

Your development cookies aren't configured for HTTPS. In production you need `secure: true`, proper `sameSite` settings, and correct domain configuration.```javascriptevent.cookies.set('session', token, { secure: process.env.NODE_ENV === 'production', sameSite: 'strict', domain: isProduction ? '.yourdomain.com' : undefined});```Also check if you're using subdomains. A cookie set on `api.example.com` won't be sent to `app.example.com` unless you set the domain correctly.

Users get randomly logged out for no reason - why?

Your server hook is deleting sessions on any validation error. Network timeouts, database hiccups, or backend 500 errors shouldn't log users out. Only delete session cookies on explicit logout or when you're absolutely sure the session is invalid.Stop doing this: `if (!user) event.cookies.delete('session')`. Start being more careful about when you actually destroy sessions.

Auth.js sessions expire randomly and I can't figure out why

Auth.js v4.21.1 has aggressive session expiration that triggers on server restarts, deployment, or JWT_SECRET changes. The default JWT strategy expires sessions every time you restart your server, which is completely useless in production.Check your `SESSION_STRATEGY` - database sessions survive deployments but JWT sessions don't. Also, Auth.js v5 completely broke backward compatibility with session handling and I'm still debugging the migration 3 months later. Maybe stick with v4 until they figure out what they're doing.Also verify your JWT_SECRET is consistent across deployments. If it changes, all existing sessions become invalid immediately. I learned this the hard way when our entire userbase got logged out after a deployment because someone regenerated the secret. Use environment variables, not hardcoded values, and for the love of god don't commit secrets to git.

Why does refresh token rotation break my SPA?

Multiple tabs trying to refresh tokens simultaneously creates race conditions. One tab refreshes the token, invalidating the refresh token for other tabs. When the other tabs try to use the old refresh token, they fail and log out.**Solution:** Use a broadcast channel to coordinate refresh across tabs, or implement a single-tab refresh strategy where only one tab handles token refresh for all tabs.

My authentication works in dev but the session hook never runs in production

Check your adapter configuration. Some adapters (looking at you, `adapter-static`) don't run server hooks because they're generating static files. You need `adapter-auto`, `adapter-node`, or `adapter-vercel` for dynamic authentication.I spent 4 hours debugging this because our CI was set to `adapter-static` to "optimize performance" and nobody told me. Static adapters are for static sites. If you need authentication, you need a fucking server. Don't let DevOps make architecture decisions without understanding the implications.Also, `adapter-auto` sometimes picks the wrong adapter in production. Explicitly specify `adapter-node` or whatever you're actually using instead of trusting the auto-detection.

Why do my httpOnly cookies disappear after deployment?

Your deployment is probably changing the server's domain or clearing cookies during the build process. Check if your hosting provider is running on different domains between builds.Also verify your cookie path settings. A cookie set with `path: '/api'` won't be sent to `/dashboard`. Use `path: '/'` for site-wide authentication.

The user object is null in server-side code but exists in the browser

Your server hook isn't running or isn't setting `event.locals.user` properly. Check that: 1. You have a `hooks.server.js` file (not just `hooks.client.js`) 2. Your `handle` function actually sets `event.locals.user` 3. You're not accidentally overwriting it in route handlers Server-side auth state comes from `locals`, not from stores or client-side state.

Auth works but protected API routes are still accessible without login

You're only checking auth on the frontend like a fucking amateur. Anyone can curl your API endpoints directly and access protected data. I learned this when someone pointed out they could hit our `/api/admin/users` endpoint from the browser bar and dump our entire user list.Add server-side auth checks to every protected route:```javascript// In your API routes - check EVERY SINGLE ONEif (!event.locals.isAuthenticated) { throw error(401, 'Unauthorized');}```Frontend auth is for pretty UIs. Server-side auth keeps you from getting fired.Now that you know the common pitfalls, let's talk about the bigger question: which auth library should you actually use? After burning months testing different options, I have some strong opinions about what works and what doesn't...

My entire user base just got logged out after deployment - what happened?

Your JWT_SECRET changed or your session database got wiped during deployment. If you're using JWT tokens, any secret change invalidates all existing sessions. If you're using database sessions, check if your deployment process clears the session table.Emergency fix: Rollback to the previous deployment if possible. For the future, make sure JWT_SECRET is stored in environment variables that persist across deployments, not generated randomly each time.

Users can't log in after switching from HTTP to HTTPS - cookies aren't working

Your cookies are set with `secure: false` which means they won't be sent over HTTPS connections. Your users have cookies from the HTTP version that the HTTPS version can't read.Fix: Set new cookies with `secure: true` and `sameSite: 'strict'`. You might need to force all users to log in again, but that's better than broken auth.

Sessions randomly expire on mobile devices but work fine on desktop

Mobile browsers aggressively manage memory and can clear cookies during background app switching. Also, iOS Safari has weird cookie behavior with `sameSite` settings that don't match your deployment setup.Check your cookie settings: use `sameSite: 'lax'` for cross-site functionality or `sameSite: 'strict'` for better security. Test on actual iOS devices, not just desktop Safari.

Auth works on the main domain but breaks on subdomains

Cookie domain mismatch. A cookie set on `app.example.com` won't be sent to `api.example.com` or vice versa. You need to set the cookie domain to `.example.com` to share cookies across subdomains.```javascriptcookies.set('session', sessionId, { domain: '.yourdomain.com', // Note the leading dot path: '/', httpOnly: true});```

My login endpoint works but protected routes return 401 unauthorized

Your authentication middleware isn't running on protected routes, or you have a middleware ordering issue. Check that your server hook is actually setting `event.locals.user` and that your route handlers are checking `locals.isAuthenticated` correctly.Common mistake: checking `event.locals.user` in server-side code but the hook never ran because of adapter issues or missing hook exports.

Password reset emails work in dev but not production

Email configuration differences between environments. Check your SMTP settings, email provider configuration, and environment variables. Also verify your production domain is whitelisted with your email provider.Common gotcha: Development uses a different email service than production, and production has stricter sending limits or domain verification requirements.

Two-factor authentication codes always fail, even correct ones

Time synchronization issues. TOTP codes depend on server and client having synchronized time. If your server's clock is off by more than 30 seconds, valid codes will be rejected.Check your server's time with `date` and compare to real time. For Docker deployments, make sure containers are using the correct timezone and NTP is working.

API authentication works with Postman but fails from the browser

CORS issues or preflight request problems. The browser sends OPTIONS requests before POST requests for authentication endpoints. Make sure your CORS middleware handles preflight requests correctly.Also check if you're sending credentials: `fetch('/api/auth', { credentials: 'include' })` is required for cookie-based auth in browser requests.

Users stay logged in forever even after session expiration

Your session validation isn't checking expiration times, or you're not implementing session refresh correctly. Every session validation should check if the session has expired and clean up expired sessions.```javascript// Always check expiration in session validationconst session = await db.session.findFirst({ where: { id: sessionId, expiresAt: { gt: new Date() } // This is critical }});```

OAuth callback fails with "state parameter mismatch" errors

The OAuth state parameter isn't persisting between the authorization redirect and the callback. This usually happens when you're storing state in memory instead of cookies/database, or when your session storage is getting cleared.Store the OAuth state in a secure cookie or database with a short expiration time, not in application memory.

Users get logged out when navigating between pages

Client-side navigation is failing to include authentication headers or cookies. Check that your API client is configured to send credentials with every request, and that SvelteKit's navigation isn't dropping authentication context.Make sure you're using SvelteKit's `$page.data` for auth state instead of storing it in client-side stores that can get reset during navigation.

Why does my auth work on Mac but completely break on Windows development?

Windows path length limits, WSL2 filesystem weirdness, and file watching issues break authentication flows in ways that make no sense. Your session files might be getting truncated because Windows has 260-character path limits that break when you have deep node_modules structures.WSL2 helps but creates new problems - your code runs in Linux but talks to Windows Docker containers with different networking. Session cookies get confused about localhost vs your Windows IP address.Most Windows developers I know either use WSL2 exclusively or just switch to Mac/Linux. Windows authentication debugging is digital archaeology - half the Stack Overflow answers don't apply to your specific Windows/Docker/WSL2 combination.

Currently viewing the AI version

Switch to human version

SvelteKit Authentication Technical Reference

Critical Authentication Race Condition

Problem

Authentication works locally but fails in production with random logouts. Session cookies set during login don't arrive before SSR rendering completes.

Root Cause

Timing mismatch between cookie setting and server-side rendering:

0ms: SvelteKit starts rendering /dashboard on server
1ms: Server hook looks for session cookie - not present yet
2ms: Server renders "not authenticated" HTML
5ms: Browser receives "logged out" HTML
10ms: Login response completes, session cookie finally set
15ms: Client hydrates with server's "not authenticated" state

Solution

Use reactive patterns instead of imperative authentication checks:

// Reactive approach - works with SvelteKit's design
let sessionToken = $state($page.data.user?.token || null);

$effect(() => {
  if (sessionToken) {
    loadUserData(); // Runs whenever sessionToken changes
  } else {
    clearUserData();
  }
});

Production Cookie Configuration

Development vs Production Failure

Cookies work on http://localhost:3000 but fail with HTTPS in production due to missing security settings.

Production-Ready Cookie Settings

const isProduction = process.env.NODE_ENV === 'production';

event.cookies.set('session', sessionId, {
  path: '/',
  maxAge: 60 * 60 * 24 * 7,
  httpOnly: true,
  secure: isProduction, // HTTPS only in production
  sameSite: isProduction ? 'strict' : 'lax',
  domain: isProduction ? '.yourdomain.com' : undefined
});

Critical Domain Configuration

Cookie set on api.example.com won't be sent to app.example.com
Use .example.com (note leading dot) for subdomain sharing
Production domain mismatch causes complete authentication failure

Resilient Server Hook Implementation

Fragile Pattern (Causes Random Logouts)

// DON'T USE - destroys sessions on any validation hiccup
if (sessionId) {
  const user = await validateSession(sessionId);
  if (user) {
    event.locals.user = user;
  } else {
    event.cookies.delete('session'); // Destroys sessions on network timeouts
    event.locals.user = null;
  }
}

Production-Resilient Pattern

// Survives network failures, database hiccups, backend 500 errors
if (sessionId) {
  try {
    const user = await validateSession(sessionId);
    if (user) {
      event.locals.user = user;
      event.locals.isAuthenticated = true;
    } else {
      // Session invalid - mark unauthenticated but keep cookie
      event.locals.user = null;
      event.locals.isAuthenticated = false;
    }
  } catch (error) {
    // Network/database error - assume unauthenticated but preserve session
    console.warn('Session validation failed:', error.message);
    event.locals.user = null;
    event.locals.isAuthenticated = false;
    // Cookie survives temporary failures
  }
}

Memory Leak Prevention

Session Storage Memory Leak

In-memory session storage kills production servers after 2-3 days of uptime.

Critical Warning: Never use MemoryStore in production

// This kills production servers
import session from 'express-session';
const store = new session.MemoryStore(); // Memory leak waiting to happen

Required Cleanup Strategy

// Cleanup job that must run
setInterval(async () => {
  await db.session.deleteMany({
    where: { expiresAt: { lt: new Date() } }
  });
}, 1000 * 60 * 60); // Every hour, delete expired sessions

Authentication Library Comparison

Solution	Production Ready	Time Investment	Maintenance Cost	Breaking Points
Auth.js (NextAuth)	Unreliable	2-4 hours	High	Session bugs, version conflicts, React assumptions
Lucia Auth	Dead Project	1-2 hours	Impossible	Deprecated March 2025, no security patches
Supabase Auth	Yes	30 minutes	Low	Vendor lock-in, limited customization
Firebase Auth	Yes	1-2 hours	Medium	Legacy patterns, client-centric model conflicts
Roll Your Own	Yes	3-6 hours	Medium	You own all bugs, full control

Auth.js Critical Issues

Sessions expire randomly in production
Version incompatibilities between SvelteKit upgrades
Requires pinning to specific versions (SvelteKit 1.19.2 + Auth.js v4.20.8)
Built for React patterns, not SvelteKit's server-first approach

Lucia Auth Deprecation Impact

No updates after March 2025
No security patches for discovered vulnerabilities
Community scattering to other solutions
Career risk for new projects

Common Production Failures

Entire User Base Logout After Deployment

Cause: JWT_SECRET changed or session database cleared during deployment
Emergency Fix: Rollback deployment
Prevention: Store JWT_SECRET in persistent environment variables

Mobile-Specific Session Expiration

Cause: Mobile browsers aggressively clear cookies during app switching
Solution: Use sameSite: 'lax' for cross-site functionality, test on actual iOS devices

Subdomain Authentication Failure

Cause: Cookie domain mismatch
Fix: Set cookie domain to .yourdomain.com for subdomain sharing

API Routes Accessible Without Authentication

Critical Security Issue: Frontend-only auth checks allow direct API access
Required Fix: Server-side auth validation on every protected route

// In every API route
if (!event.locals.isAuthenticated) {
  throw error(401, 'Unauthorized');
}

Roll-Your-Own Implementation Guide

Minimal Session Authentication

// lib/auth.js - ~50 lines of bulletproof auth
import bcrypt from 'bcryptjs';
import crypto from 'crypto';

export async function createSession(userId) {
  const sessionId = crypto.randomBytes(32).toString('hex');
  
  await db.session.create({
    data: {
      id: sessionId,
      userId: userId,
      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
    }
  });
  
  return sessionId;
}

export async function validateSession(sessionId) {
  const session = await db.session.findFirst({
    where: { 
      id: sessionId,
      expiresAt: { gt: new Date() } // Critical expiration check
    },
    include: { user: true }
  });
  
  return session?.user || null;
}

OAuth Integration Pattern

// routes/auth/google/+server.js
export async function GET({ url, cookies }) {
  const code = url.searchParams.get('code');
  const googleUser = await exchangeCodeForUser(code);
  const user = await findOrCreateUser(googleUser);
  const sessionId = await createSession(user.id);
  
  cookies.set('session', sessionId, {
    path: '/',
    httpOnly: true,
    secure: true,
    maxAge: 60 * 60 * 24 * 7
  });
  
  throw redirect(303, '/dashboard');
}

Adapter-Specific Issues

Static Adapter Authentication Failure

Problem: adapter-static doesn't run server hooks, breaking all authentication
Solution: Use adapter-auto, adapter-node, or adapter-vercel for dynamic auth
Warning: CI configurations often default to static adapters for "performance optimization"

Adapter Auto-Detection Failures

Issue: adapter-auto sometimes picks wrong adapter in production
Solution: Explicitly specify adapter instead of trusting auto-detection

Critical Security Requirements

Session Validation Checks

Always verify session expiration:

const session = await db.session.findFirst({
  where: {
    id: sessionId,
    expiresAt: { gt: new Date() } // This check is critical
  }
});

JWT Secret Management

Store in environment variables, never hardcode
Consistent across deployments to prevent mass logouts
Secret changes invalidate all existing sessions

CORS and Preflight Handling

Browser authentication requires:

Proper CORS middleware for OPTIONS requests
credentials: 'include' for cookie-based auth
Correct preflight request handling

Performance and Monitoring

Session Cleanup Strategy

Required for database session storage:

Hourly cleanup of expired sessions
Background job that doesn't block application
Monitoring for cleanup job failures

Production Monitoring Points

Login success/failure rates
Session duration analytics
Authentication timing metrics
Random logout frequency tracking

Development Environment Issues

Windows-Specific Problems

Path length limits (260 characters) break session storage
WSL2 filesystem weirdness affects cookie handling
Docker networking conflicts between Windows/Linux containers
Most Windows developers switch to Mac/Linux for authentication work

Hydration Mismatch Prevention

Use SvelteKit's universal load functions:

// +layout.server.js - Single source of truth
export async function load({ locals }) {
  return {
    user: locals.user,
    isAuthenticated: locals.isAuthenticated
  };
}

Resource Requirements

Time Investment Comparison

Auth.js setup: 2-4 hours, high ongoing maintenance
Roll-your-own: 3-6 hours initial, medium maintenance
Supabase: 30 minutes setup, low maintenance but vendor lock-in

Expertise Requirements

Understanding of HTTP cookies and sessions
Knowledge of OWASP security guidelines
Experience with production debugging
Familiarity with SvelteKit's server-first architecture

Infrastructure Dependencies

Database for session storage (avoid in-memory)
Background job system for cleanup
Production monitoring for auth failures
Error tracking for session issues

Breaking Points and Failure Modes

At Scale Issues

Session table grows indefinitely without cleanup
Database connection pool exhaustion during login spikes
Memory leaks from in-memory session storage
Cookie storage limits affecting large session data

Security Failure Scenarios

Session fixation attacks without proper session regeneration
XSS attacks accessing non-httpOnly cookies
CSRF attacks without proper token validation
Session hijacking over non-HTTPS connections

Framework Compatibility Risks

SvelteKit version upgrades breaking auth library compatibility
Adapter changes affecting server hook execution
Node.js version updates breaking cryptographic libraries
Third-party library deprecation (like Lucia Auth)

Useful Links for Further Investigation

Authentication Resources That Don't Waste Your Time

Link	Description
SvelteKit Auth.js Integration	Official Auth.js SvelteKit docs. Works until it doesn't, but decent starting point.
The SvelteKit Auth Race	Shane Chang's detailed debugging session on race conditions. Essential reading if your auth randomly breaks.
SvelteKit Authentication Discussion	GitHub discussion about proper authentication patterns in SvelteKit.
Lucia Deprecation Announcement	pilcrowonpaper's explanation of why Lucia is being deprecated in 2025.
SvelteKit Kit Issues: Auth Problems	Collection of real authentication issues reported by developers.
Clerk SvelteKit Integration	Community-maintained adapter for integrating Clerk with SvelteKit. Best managed solution that actually works.
Supabase Auth Helpers	Solid choice if you're using Supabase for database/hosting.
Auth0 SvelteKit Guide	Enterprise-grade auth, complex setup, handles edge cases well.
OWASP Authentication Cheat Sheet	Essential reading if you're rolling your own auth.
HTTP Cookie Security	Everything you need to know about secure cookie configuration.
Session Management Best Practices	OWASP guide to avoiding common session security holes.
Svelte DevTools	Browser extension for inspecting Svelte component hierarchies and debugging state.
Cookie Inspector Browser Extension	Essential for debugging cookie issues across domains.
Session Replay Tools	See exactly what happens when authentication fails in production.
SvelteKit Auth Example	Complete authentication implementation reference with registration, login, and role-based access.
bcryptjs	Password hashing library that doesn't break on different Node.js versions.
jose	JWT library if you need to handle JWT tokens manually.
Prisma Session Model	Database schema examples for storing user sessions.
Drizzle ORM Auth Examples	TypeScript-first ORM with good session management patterns.
Redis Session Storage	Redis data types documentation for implementing high-performance session storage.
Vercel SvelteKit Deployment	Official Vercel guide for SvelteKit deployments including authentication and Draft Mode.
SvelteKit Cookie Sessions	Utility for encrypted cookie-based sessions that work in containers.
Cloudflare Pages SvelteKit	Deploy SvelteKit to Cloudflare Pages with edge-compatible authentication.
SvelteKit Discord #help-auth	Active community help channel for authentication questions.
SvelteKit Authentication Posts	Community blog posts about SvelteKit authentication challenges and solutions.
SvelteKit GitHub Discussions	Official place to discuss authentication patterns and issues.
Playwright Authentication Testing	End-to-end testing that includes login flows.
Vitest Session Testing	Unit testing authentication functions and middleware.
MSW (Mock Service Worker)	Mock authentication APIs for testing without real backends.
Google OAuth2 Setup	Creating OAuth applications for Google sign-in.
GitHub OAuth Apps	Setting up GitHub authentication for development and production.
Discord OAuth2	Discord OAuth setup if you're building gaming/community apps.
Sentry Error Tracking	Track authentication failures and session errors in production.
DataDog Session Monitoring	Monitor authentication performance and session duration.
New Relic Auth Metrics	Track login success rates and authentication timing.

38%

Recommendations combine user behavior, content similarity, research intelligence, and SEO optimization