Open DiiiaZoTe opened 1 month ago
The suggestion makes sense, and I will implement it soon. But, just curious, how it is really different? Both are practically doing the same thing as far as I understand.
Both practically do the same thing right?
So you are correct in what you said in number 1 and number 2. On paper yes they are both just cookies and they overall behave the same way. There a few benefits in using what people refer to as server cookies. I would suggest this read: https://docs.lytics.com/docs/client-server-side-cookie-deep-dive
For session management I would definitely add httponly, secure and samesite flags to your cookie to help mitigate a few known issues.
The goal of auth is just to make things more annoying to people to break, there's no perfect approach :)
The security considerations make sense. Thank you for sharing the article. :)
This package is exactly what I would need. The only thing that makes me not use it is that you are setting a client side cookie with the session... Please consider creating the cookie in the server/getToken function after:
const sessionCookie = getAuth().createSessionCookie(idToken, { expiresIn });
Right now you set it on the client after you retrieve the result of this action:
document.cookie = `firebase_nextjs_token=${sessionToken}; expires=${new Date(Date.now() + 3600 * 1000 * 24 * 14).toUTCString()}; path=/;`;
I checked the repo and seems like you only need to check this cookie server side in the middleware, so it would be beneficial to also set a server cookie. https://nextjs.org/docs/app/api-reference/functions/cookies#cookiessetname-value-options