Session flash message fails occasionally


I can’t help really, but I see two suprising things:

  1. $ in front of email in the first line. It’s like we are back in PHP suddenly. Cringe moment.
  2. The second message should be of type error, not success.


The $ is a typo while posting the code over here.


Here is the workflow:

  • Click on a link in an email sent
  • Then execute the code above

Can’t seem to figure out why this is not working as expected. Other flash messages are working just fine.


Can you share more information around it.

  1. What’s the route, which invokes this controller method
  2. Is everything happening on the same host:port?


Okay, there’s the full code:

Route.get('register/verify/:token', 'Auth/RegisterController.verifyEmail')
async verifyEmail ({ params, session, response }) {
    try {
      const user = await User.findBy('verification_token', params.token)

      user.verification_token = null
      user.is_verified = true


        notification: {
          type: 'success',
          message: 'Your email address has been verified.'

      return response.redirect('/login')
    } catch (error) {
        notification: {
          type: 'danger',
          message: 'The token is invalid.'

      return response.redirect('/login')

Yeah, everything is happening on the same port. Here’s a sample link in the email sent:


I believe it cookie might have been created for the nested path /register/verify/token. Can you check config/session.js file and see that path is set to /.


Yeah, it is set.

cookie: {
  httpOnly: true,
  sameSite: true,
  path: '/'


I created a sample repo. You can help me reproduce the problem


With the repo, on the first trial, it flashed the message but subsequently No flash messsage.


The issue only occurs with Chrome. Tested with Safari and Firefox, and seems to be working.

I think Chrome is handling the session in a different way.


Ohh then you got confused with what flash messages are.

Flash messages live only for a single request and then are removed. So doing a page refresh means a new request and hence messages are removed.

Regarding safari I would say open devtools and disable cache, since safari is not making request on the server.

Chrome behaviour is the correct one


I understand that flash messages only live for a single request.


Redirect to /login is the single request which I’m flashing the message to


Yeah but you said that in the sample repo I shared, the message is shown for one time and disappears on the next refresh, so that’s the correct behaviour.

If behaviour in your app is different, then help me reproduce it.


Sorry for the confusion, what I’m trying to say is that even with your sample repo, the message is not flashed.


When you run the sample repo, is the message being flashed? Particularly with Chrome?


@virk now this is totally confusing or maybe I’m doing something wrong somewhere.

If I click the link ( from within the email sent (which will open in a new tab, I’m using Mailtrap for testing), I get no flash message. But if I enter the same link directly into the browser, everything works fine.

This explains why I thought it was working on other browsers because I was copy/pasting the URL directly in their address bar.


1 thing I have in top of my mind is that the browser is pre-fetching the URL, before on click on it.

  1. Can you log a message every time you receive a request for the verify route and see if it prefetches when you hover on URL or not?
  2. One more thing, can you check and see if sameSite is set to false in the config file?

Auth Fails after email validation

Okay sameSite: true is the problem. Chrome has this weird bug, for which sameSite: false has to be set in order to persist cookies during redirect.


Thanks that solved the problem.

Had to read up on SameSite, apparently, some browsers (Chrome, Firefox, and Opera) has already implemented it. So, I don’t think it actually a bug with Chrome.