getSession(), safeGetSession(), and getUser()

I'm following the guide to make a user management with supabase+sveltekit here https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit?queryGroups=database-method&database-method=dashboard.

It said in comment in the

+layout.ts

+layout.ts

that:

It's fine to use `getSession` here, because on the client, `getSession` is
safe, and on the server, it reads `session` from the `LayoutData`, which
safely checked the session using `safeGetSession`.

It's fine to use `getSession` here, because on the client, `getSession` is
safe, and on the server, it reads `session` from the `LayoutData`, which
safely checked the session using `safeGetSession`.

I follow it all, and it works just fine. But I get a warning(?) at my console:

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

I'm confused because why made a guide using a method that are considered not secure? but it's considered safe in the guide?

Build a User Management App with SvelteKit | Supabase Docs

Learn how to use Supabase in your SvelteKit App.

Supabase•8mo ago•

4 replies

handjobservice

getSession(), safeGetSession(), and getUser()

+layout.ts

+layout.ts

that:

It's fine to use `getSession` here, because on the client, `getSession` is
safe, and on the server, it reads `session` from the `LayoutData`, which
safely checked the session using `safeGetSession`.

It's fine to use `getSession` here, because on the client, `getSession` is
safe, and on the server, it reads `session` from the `LayoutData`, which
safely checked the session using `safeGetSession`.

I follow it all, and it works just fine. But I get a warning(?) at my console:

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

I'm confused because why made a guide using a method that are considered not secure? but it's considered safe in the guide?

Build a User Management App with SvelteKit | Supabase Docs

Learn how to use Supabase in your SvelteKit App.

getSession(), safeGetSession(), and getUser()

getSession(), safeGetSession(), and getUser()

Similar Threads

Similar Threads

Similar Threads