T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/lavocat.quebec/private_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/lavocat.quebec/private_html/SERVER_SESSION_CLEANUP_INSTALLED.md
# Server-Side Session Cleanup - INSTALLED

## What Was Added

### 1. Enhanced Auth Configuration (`src/lib/auth.ts`)
✅ Added error handling for JWT decryption failures
✅ Automatic detection of invalid session cookies
✅ Graceful handling that doesn't break the site

**Changes:**
- Added `logger` configuration to catch JWT_SESSION_ERROR
- Logs invalid session attempts without crashing
- Automatically ignores decryption errors

### 2. Middleware for Session Cleanup (`src/middleware.ts`)
✅ Automatically clears invalid cookies
✅ Runs on every request
✅ Filters to avoid API routes

**Behavior:**
- Detects `SessionRequired` errors
- Clears all NextAuth cookies
- Prevents infinite redirect loops

### 3. Session Verification API (`src/pages/api/auth/verify-session.ts`)
✅ Endpoint to manually verify sessions
✅ Automatically clears invalid cookies
✅ Returns session status

**Usage:**
```javascript
// Check if session is valid
fetch('/api/auth/verify-session')
  .then(r => r.json())
  .then(data => {
    if (!data.valid) {
      console.log('Session invalid, cleared');
    }
  });
```

### 4. Client-Side Auto Cleanup (`src/utils/auto-session-cleanup.ts`)
✅ Utility functions for session cleanup
✅ Automatic detection of auth errors
✅ Cookie clearing helper

### 5. App-Level Integration (`src/pages/_app.tsx`)
✅ Integrated automatic cleanup
✅ Runs on every page load
✅ Non-blocking (won't break the site)

## How It Works

1. **User has old/invalid cookie**
2. **Middleware detects auth error**
3. **Cookies automatically cleared**
4. **User redirected to login**
5. **User logs in fresh**

## Testing

After restarting the server:

1. **Access the site** - Should load without errors
2. **Try to access protected page** - Should redirect to login
3. **Login** - Should work normally
4. **Check browser console** - No JWT errors

## Current Status

✅ **Server-side cleanup installed**
✅ **No linter errors**
✅ **Ready to test**

## Next Steps

1. **Restart the server:**
   ```bash
   # Stop current server
   pkill -f "node.*server"
   
   # Start fresh
   npm run dev
   ```

2. **Test the site:**
   - Visit the homepage
   - Try to login
   - Check if protected pages work

3. **Monitor logs:**
   ```bash
   tail -f server.log
   ```

## What This Fixes

- ❌ **OLD:** Invalid JWT cookies caused site to crash
- ✅ **NEW:** Invalid cookies are automatically cleared
- ✅ **NEW:** Users can still access the site
- ✅ **NEW:** Graceful redirect to login

## Notes

- The cleanup is **non-destructive** - it won't delete valid sessions
- It only clears cookies when there's a decryption error
- Users just need to re-login after the secret change
- No data is lost - only session cookies are cleared

CasperSecurity Mini