When you open this in two browsers and refresh a few times, one browser after the other, you’ll see the count go up and up (when looking at the page source), proving that the state is shared between both browsers (well, not really, it’s shared on the server, and used by both users). This will have serious consequences if you go this route: if user A is logged in and you’d write the user object to the shared state, and user B is not logged in, they’d still see a flash of user A’s username appear in the navigation bar, until the shared state is overwritten by the undefined user object.
5 Matching Annotations
- Jul 2025
-
www.loopwerk.io www.loopwerk.io
-
-
export const state: State = $state({ user: undefined });
The problem is, this creates global (server-wide) state, when it should be "user-local" global state.
-
But sadly this introduces shared state on the server (when we use SSR), and this is a big problem since we’re now leaking data between different users.
-
-
svelte.dev svelte.dev
-
risk of accidentally exposing one user’s data to another
-
As with the previous example, this puts one user’s information in a place that is shared by all users.
-