-
Notifications
You must be signed in to change notification settings - Fork 26.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Cookie Auth Example #11167
Comments
@dastrong If you're not storing the cookie client-side then how are you sending the cookie in a header? If the fetch is happening in an API route it's okay, because the server will have access to the cookie, but if that's happening from the browser the cookie won't be available in any way if |
@lfades hmm I tried using credentials include when fetching from the next API route, but wasn't receiving the cookie server side. So that's why I attached the cookie to headers. I can see the httpOnly cookie in req.cookies and configured the backend cors to allow credentials. I'll have another go this afternoon |
We have updated our auth examples since this was opened! See the new ones! |
This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Feature request
Is your feature request related to a problem? Please describe.
The current
with-cookie-auth
example is lackingDescribe the solution you'd like
If the following is actually secure and preferable (newer to cookies), I'd love to improve that example or build a newer, larger one for everyone.
From what I've read (#10062 and #9913), a cookie needs to be set in the Next API route (with plain old 'cookie' and
setHeader
) with the following to be secure:In my case, I want to store a sessionId (sid) in a cookie, so that if the user closes the tab and comes back within a day, they'll automatically be logged back in. So after the Context Provider mounts, we'd make a fetch request to a Next
verify
API route. If there's asid
cookie, we'll send that to our external API to get the user object and that JWT. Both of which would be put in our User Provider.We'd have to include the cookie in the fetch like this, since it's cross domain.
We're not storing the
sid
in localStorage or a client-side cookie, so that would be secure. Would sending the cookie through the header to the external API be okay?Describe alternatives you've considered
Well I could do an unsecured method using a client cookie or localStorage, but I'm trying to avoid doing that since it's not secure.
Additional context
@lfades I saw you comment on both the issues I linked above. Maybe you could give some insight into if an example like this would be beneficial to the community.
The text was updated successfully, but these errors were encountered: