Route URL not being protected in Production/Azure but is in development/localhost

[nicwcampbell]

I am experiencing different middleware route protection in Next Auth when in Production (Azure Static Web Apps) vs in development (localhost).

When I first go to the Root URL in either development or production, it required me to log in - this is expected. However, after I have logged in and then logged out, in development if I go back to the Root URL then I have to log in again whereas in production I have access to that page still despite being logged out and seeing that the session cookie has been correctly removed. I can do a hard refresh and still can access that page. If I try and access a different page that I also visited while being logged in such as /about, then it requires me to be logged in which is correct. So it seems that for some reason the base URL is allowing non logged in user to access if they have been logged in before, but other pages don't display this same behaviour. As I said, in development this is not an issue and I always have to log in.

I am using Next Auth middleware.js as follows:

`export { default } from "next-auth/middleware";

export const config = {
matcher: [
"/((?!api|_next/static|favicon.ico).*)",
],
};
`
The root URL is an SSG page but so is the /about so that's not the issue. An as I said, I have done a hard refresh so client side caching doesn't seem to be the issue. I even cleared by browser cache and that had no affect. So it seems that the middleware for some reason is letting through the root URL after first login and logout and I can't seem to figure out why, or why only in Production. Is Azure doing something strange?