Consider using Server Cookie

[DiiiaZoTe]

This package is exactly what I would need. The only thing that makes me not use it is that you are setting a client side cookie with the session... Please consider creating the cookie in the server/getToken function after: const sessionCookie = getAuth().createSessionCookie(idToken, { expiresIn });

Right now you set it on the client after you retrieve the result of this action: document.cookie = `firebase_nextjs_token=${sessionToken}; expires=${new Date(Date.now() + 3600 * 1000 * 24 * 14).toUTCString()}; path=/;`;

I checked the repo and seems like you only need to check this cookie server side in the middleware, so it would be beneficial to also set a server cookie. https://nextjs.org/docs/app/api-reference/functions/cookies#cookiessetname-value-options

[NirmalScaria]

The suggestion makes sense, and I will implement it soon. But, just curious, how it is really different? Both are practically doing the same thing as far as I understand.

1. Currently it generates the cookie on server side and pass it in the response body and is set on client by javascript.
2. With your suggestion, the cookie will be generated on server side and passed to client through the response header (setCookie header) and is set on client by the browser.

Both practically do the same thing right?

[DiiiaZoTe]

So you are correct in what you said in number 1 and number 2. On paper yes they are both just cookies and they overall behave the same way. There a few benefits in using what people refer to as server cookies. I would suggest this read: https://docs.lytics.com/docs/client-server-side-cookie-deep-dive

For session management I would definitely add httponly, secure and samesite flags to your cookie to help mitigate a few known issues.

The goal of auth is just to make things more annoying to people to break, there's no perfect approach :)

[NirmalScaria]

The security considerations make sense. Thank you for sharing the article. :)