Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

In a Next.JS application, when the user JWT access token is too large, the supabase auth library splits it into sections and sends it in the cookies in the following manner:

sb-project-auth-token.0
sb-project-auth-token.1
...
sb-project-auth-token.n

These cookies are randomly deleted from the browser storage, which causes auth issues in the application. We have not identified the cause, but it happens when the JWT is split into multiple cookies.

To Reproduce

1. Create a user in your auth table and add a large dummy raw_user_meta_data JSON object
2. In a next page, add the SSR createBrowserClient
3. Login
4. Check the cookies panel in your browser and look for sb-project-auth-token.0
5. Navigate around the page, refresh or wait a while
6. Cookies are randomly deleted

Expected behavior

Cookies are kept in memory until a signout event happens or the cookies are cleared manually.

System information

• Browser (if applies) Firefox
• Version of supabase-js: 2.39.3

Additional context

We are using the Next.js framework

We've found this happen when the server thinks the cookie is invalid. For us, this happened when our framework wasn't url decoding the cookie, so it failed to JSON.parse.

Hey we've identified this as one of the main problems. We're addressing this here: https://github.com/orgs/supabase/discussions/27037

Linking the PR for reference: supabase/ssr#1