Great explanation. I'm coming from PHP to React via Next JS. Was really struggling with storing secure cookies server-side with Next JS and not getting the answers I needed. This was clear and concise. Thanks for that and I am definitely going to buy that course.
@@leighhalliday hey , Actually am following some issue in deleting cookie. It gets deleted when I working on my localhost, but once I deployed my website to vercel cookie is not getting deleted. Can you please help me out with it ?
Hi. When you talking about the server-side cookies, What means that the browser can't read the cookies? Probably you can't get them from js-client, but we can still read them from the devtools. I think that I didn't get this security part
Hi, how would you do to use js-cookie from the _app file since I need to set the cookie and check in any page of the app and then need to use getInitialProps instead of getServerSideProps
Thank you for your explanation. But I have a questions, can I use the same API endpoint with a mobile app? Because I'm used to use tokens in local storage.
Thank you Leigh!. A stupid question: i'm working on a Next js auth session. In a real scenario my cookie http only (jwt) must be visible always in my Storage_Inspector/Cookies? Or my http only cookies must NEVER be visible in the browser? I don't know if I've made myself clear
Great explanation, I really liked your calm tone and method of teaching. I just have one doubt. How can I read this cookie to make sure that the user does not need to login?
hello, i just wondering how can I apply this if the API is from the django and, I cant get the token from cookie when I fetching get API from django saying unauthorized, it seems that the bearer token not set properly, but when i refresh the browser the cookie is accessible and the get API works. how can i achieved to handle token from cookie without refreshing the browser.
Hi Leigh!, thank you for making this amazing course! I just have a question. I make a request to the login API and I receive the refresh token that is in the cookie and the access token that is in the response body. Now how should I handle the access token on the client side(next js)? If I store this in a global state like context API, then I don't have access to that state in the getServerSideProps function, and I can't set it in the request.header.authorization because getServerSideProps run on the server side and the state is on the client side! what is the right flow for this kind of case?
Beginner here bro, the backend usually will setup the httponly: true? not the frontend will setup this? the frontend will just received the secure token to store directly to the cookies?
We load our app inside an under third party sites. Third party cookies are automatically blocked inside an . Does that mean i can never use frameworks like nextjs or Remix?
Beginner here bro, the backend usually will setup the httponly: true? not the frontend will setup the httponly: true? the frontend will just received the secure token with httponly: true attached already to store directly to the cookies?
Hey Leigh, I had a question. Even if Javascript on the frontend won't be able to read the http-only cookies, we can still see its value on the browser's Developers Tools, so how does that make it safer? For example, would it be safe to store JWT Authentication tokens as http-only cookies?
Hey Sayantan! It's safer because that is you, the owner of that auth cookie looking at your own cookie value. This is opposed to a random piece of javascript executing on your page being able to access the value of this cookie.
You're an absolute boss, Leigh! Quick question, when you checked out the api calls in the dev tools you could see the value of the token. Is that not a problem because the value was set on the server instead of set on the client (aka h4ck3rs can't manipulate your code on the server so it didn't matter that they could read the token)?
Hey OAMP! It's not a problem because that's between the browser and the server, won't be visible to anyone else, especially if it's transmitted over HTTPS.
I'm new in Next.js. I have this .ts file that detects some redirects. In other words detects some special urls in må app. Lets say I it's detects /hello-world in the url. I then want to delete a cookie on the SSR side. How would I do this. I dont know where to get the res from on the page.
Hey Dennis! Hmm from your comment I’m not sure what to recommend… if you’re new to nextjs, you may enjoy my course! next.leighhalliday.com we cover server side cookies in it.
So i am using axios on frontend and I see you are returning the session token with getServerSideProps. Now my question is how do i send this to axios do i need to pass this token with all the children which will be hell for me. Can i store this token on a context or is also a bad way of doing? or can I create a function to fetch the token and then call axios. Please let me know which is the best way of doing this
Quick question, incase of isomorphic application development after login cookies set at client-side and API used for login is not belongs to same domain, how to cover this scenario please advise
@@leighhalliday Sir actually i am running express an next.js on different servers even if you could refer any idea how i could save cookie from api to next.js or any reference would be helpful...
Great tutorial! how would you authenticate though certain routes? (without next-auth). I'm trying to do the authentication with wordpress and its rest api but really struggle.. id like also to avoid serversideprops as it would make my whole project slow again
Hey Alex! Hmm... I suppose you could add a client side check that confirms you have access before anything at all is rendered... but I think either way adding validation adds a slight slowdown. If you can use a cookie with confidence, I don't think getServerSideProps would slow you down too much... we're probably talking < 100ms.
@@leighhalliday em.. having seen the difference, I'd say def it does slows down significantly. I mean right, now I'm authenticating user with user credentials generating a jwt (having the jwt plugin there) and when credential match on wordpress then storing the jwt info on httponly cookie. But how to access this on the client without serverprops? Also, not sure if this is the best approach.. what would you recommend? :) was thinking about passport library etc but not sure.
Hi, i setup the cookie using login api route as shown in the video. I want to send the jwt token from client end to do some queries and mutations on the server. The cookie is not available on client end to do that operation. One way is to get the cookie on getServerSideProps and pass it onto the component or the other way is to store it locally using local storage or client side cookie. What will be your suggestion? Is there any other way out?
Hey Bak! If the server is on the same domain it'll be passed automatically to the backend with the request. If it's a different domain, I think you'll have to store the token somewhere client-side so you can add it in as a header.
Hey Kurniawan! No, it's not on Udemy but you can get a purchasing power parity code here to make the price more reasonable for you next.leighhalliday.com/ppp
I'm so confused how the node server works in next.js. it's all single files for any route? What about secret routes? Watching the entire app to help you :)
Hey Julia! Each one runs as a serverless function when it's deployed. You'd have to write code to guard access if certain routes are to be "secret"... by secret you mean authorized users only, right?
I think you should comment in your video that this is not how a login or logout should work and to be honest, I think using login and logout as the example was suboptimal. Someone new to all this might get a totally wrong impression. Good video otherwise.
Great explanation. I'm coming from PHP to React via Next JS. Was really struggling with storing secure cookies server-side with Next JS and not getting the answers I needed. This was clear and concise. Thanks for that and I am definitely going to buy that course.
Nice!! I also come from PHP :) Spent a lot of time with CakePHP back in the day. I hope you enjoy the course!
man, I was having so much trouble to understand authentication, thank you so much, you deserve more views
Sweet!! That's the best... glad I can "unlock" some difficulties
i guess I'm kinda off topic but does anyone know a good place to stream new tv shows online ?
@Paul Cullen i watch on flixzone. You can find it on google =)
well explained, alot of developers always have difficulties explaining cookies and sessions... well supper well done
The best way to SET and REMOVE the cookie on Server Side...Thank you soo much 🤜🤛
I was struggling with cookies-next for almost 2 hours. js-cookie n you saved my like. Ty
after hours of research this video solved my confusion Thank you for your help!
Where have you been all my life :))) thank you so much!!!
Your content is awesome!
Most of what I've learned about NextJS was in your channel :)
Thank you!
Thank you Sthefano!! Glad I can help a little bit :)
Actual tutorials, thank you 😍
You’re very welcome Artsvi!
Huge thanks for posting this Leigh - video came just as I was beginning to ask questions on this! Thanks for continuing to put out awesome content!
Thank you Terry! I hope the vid helps :D
man i was stuck on bug from 2 weeks and this video helped me resolve it.
Nice!! Glad you got it figured out!
Thanks a lot dude! I was actually having a problem to delete a httpOnly cookie and your video make it clear to me!
Sweet! That's awesome :) The key is that it has to be deleted server side... sorta annoying but I guess that's the point to an httpOnly cookie haha.
@@leighhalliday hey , Actually am following some issue in deleting cookie. It gets deleted when I working on my localhost, but once I deployed my website to vercel cookie is not getting deleted. Can you please help me out with it ?
Hi. When you talking about the server-side cookies, What means that the browser can't read the cookies? Probably you can't get them from js-client, but we can still read them from the devtools. I think that I didn't get this security part
Hi! I very appreciate you for doing all these tutorials
You're very welcome Vlad!! Glad you enjoyed the video :)
Great explanation, is it possible for the refresh token.?
This is exactly what i am looking for.thx.
Thank you, king 🤴
Hi, how would you do to use js-cookie from the _app file since I need to set the cookie and check in any page of the app and then need to use getInitialProps instead of getServerSideProps
Thank you for your explanation. But I have a questions, can I use the same API endpoint with a mobile app? Because I'm used to use tokens in local storage.
thank you for the explanation
im wondering how i can pass that cookie back to the server for authorazation checking (i mean the secure way)
Thank you Leigh!. A stupid question: i'm working on a Next js auth session. In a real scenario my cookie http only (jwt) must be visible always in my Storage_Inspector/Cookies? Or my http only cookies must NEVER be visible in the browser? I don't know if I've made myself clear
Hey Berlino! HTTP only cookies aren't visible in JavaScript, but they get sent to the server with each request.
@@leighhalliday thank you
Sir, wonderful explanation, this was very helpful thank you.
Great explanation, I really liked your calm tone and method of teaching.
I just have one doubt. How can I read this cookie to make sure that the user does not need to login?
Which cases would you just want to use local storage?
Thank you Leigh
Thanks Igor!! :) Glad you enjoyed it!
hello, i just wondering how can I apply this if the API is from the django and, I cant get the token from cookie when I fetching get API from django saying unauthorized, it seems that the bearer token not set properly, but when i refresh the browser the cookie is accessible and the get API works. how can i achieved to handle token from cookie without refreshing the browser.
Thank you so much Leigh !
Hi Leigh!, thank you for making this amazing course!
I just have a question.
I make a request to the login API and I receive the refresh token that is in the cookie and the access token that is in the response body. Now how should I handle the access token on the client side(next js)? If I store this in a global state like context API, then I don't have access to that state in the getServerSideProps function, and I can't set it in the request.header.authorization because getServerSideProps run on the server side and the state is on the client side!
what is the right flow for this kind of case?
Beginner here bro, the backend usually will setup the httponly: true? not the frontend will setup this? the frontend will just received the secure token to store directly to the cookies?
We load our app inside an under third party sites. Third party cookies are automatically blocked inside an . Does that mean i can never use frameworks like nextjs or Remix?
Hello, great video
I would like to know why are you defining the cookie in the front instead of the api/login.js ?
Beginner here bro, the backend usually will setup the httponly: true? not the frontend will setup the httponly: true? the frontend will just received the secure token with httponly: true attached already to store directly to the cookies?
Thanks for the example. Does this still apply now or theres a better way.
I really like the way you explained. I wanted to buy your course through the "Get Access" button, but the button didn't work.
How can I protect it from CSRF Attack? Please reply
Thank you, but can it work if I deploy nextjs app and expressjs app to different domain?
After setting token from Server side, how can I use token to check whether a client is login or not ?
Explained so well, thank you so much!
Thanks Andrew!
Very well explained, thanks!
Hey Leigh, I had a question. Even if Javascript on the frontend won't be able to read the http-only cookies, we can still see its value on the browser's Developers Tools, so how does that make it safer? For example, would it be safe to store JWT Authentication tokens as http-only cookies?
Hey Sayantan! It's safer because that is you, the owner of that auth cookie looking at your own cookie value. This is opposed to a random piece of javascript executing on your page being able to access the value of this cookie.
@@leighhalliday So does that mean once I deploy my application, the users wont be able to see the set cookies?
@@sayantankarmakar4191 The only person can see it is you, or anyone can use your laptop
Thank you. Awesome tutorial 💪
Thank you Norb! Glad you enjoyed it.
I feel like a cookie master now! Well, almost. ;)
I'm also craving a cookie haha... white chocolate chip macademia nut
Great!
I have a question about getServerSideProps.
if router.push to the page with getServerSideProps,
Is the page SSR?
Hey! Hmmm... I think so! I think Next.js handles that for us. I'm only 95% sure though :D
Great vid!
PS: How does this work with a pre-rendered page where I don't have access to the req object?? SSR is not the fastest for most apps
You're an absolute boss, Leigh! Quick question, when you checked out the api calls in the dev tools you could see the value of the token. Is that not a problem because the value was set on the server instead of set on the client (aka h4ck3rs can't manipulate your code on the server so it didn't matter that they could read the token)?
Hey OAMP! It's not a problem because that's between the browser and the server, won't be visible to anyone else, especially if it's transmitted over HTTPS.
Great video man
Appreciate it!
Thanks you're a life saver
thanks leigh
I'm new in Next.js. I have this .ts file that detects some redirects. In other words detects some special urls in må app. Lets say I it's detects /hello-world in the url. I then want to delete a cookie on the SSR side. How would I do this. I dont know where to get the res from on the page.
Hey Dennis! Hmm from your comment I’m not sure what to recommend… if you’re new to nextjs, you may enjoy my course! next.leighhalliday.com we cover server side cookies in it.
awesome content, helped me a lot!! thanks!
I am unable to get the cookies in _app.js. How can I get it there?
how read token from _app to setUser Login
Love the video, thanks!
Thank you Ginger Viking... great name by the way!
So i am using axios on frontend and I see you are returning the session token with getServerSideProps. Now my question is how do i send this to axios do i need to pass this token with all the children which will be hell for me. Can i store this token on a context or is also a bad way of doing? or can I create a function to fetch the token and then call axios. Please let me know which is the best way of doing this
Quick question,
incase of isomorphic application development after login cookies set at client-side and API used for login is not belongs to same domain, how to cover this scenario please advise
I don't think you can have HttpOnly cookies across multiple domains unfortunately... unless I'm wrong?
i do this , but in production i have problems
Is there a size limit on server side cookies?
Thanks for helping 💯
Thanks for sharing this.
You're very welcome! :D
How to use it with express-session and witgout nextjs api routes ?
Hey! Sorry... I don't have an answer for you :) No clue! I have only used express with Next.js one time and it didn't have any sessions.
@@leighhalliday Sir actually i am running express an next.js on different servers even if you could refer any idea how i could save cookie from api to next.js or any reference would be helpful...
how to set the cookie in serverside in next 13 app router
did you find the answer ?
Great tutorial! how would you authenticate though certain routes? (without next-auth). I'm trying to do the authentication with wordpress and its rest api but really struggle.. id like also to avoid serversideprops as it would make my whole project slow again
Hey Alex! Hmm... I suppose you could add a client side check that confirms you have access before anything at all is rendered... but I think either way adding validation adds a slight slowdown. If you can use a cookie with confidence, I don't think getServerSideProps would slow you down too much... we're probably talking < 100ms.
@@leighhalliday em.. having seen the difference, I'd say def it does slows down significantly. I mean right, now I'm authenticating user with user credentials generating a jwt (having the jwt plugin there) and when credential match on wordpress then storing the jwt info on httponly cookie. But how to access this on the client without serverprops? Also, not sure if this is the best approach.. what would you recommend? :) was thinking about passport library etc but not sure.
Hi, i setup the cookie using login api route as shown in the video. I want to send the jwt token from client end to do some queries and mutations on the server. The cookie is not available on client end to do that operation. One way is to get the cookie on getServerSideProps and pass it onto the component or the other way is to store it locally using local storage or client side cookie. What will be your suggestion? Is there any other way out?
Hey Bak! If the server is on the same domain it'll be passed automatically to the backend with the request. If it's a different domain, I think you'll have to store the token somewhere client-side so you can add it in as a header.
@@leighhalliday thanks for the reply. It is clear; will test it out.
It worked thankyou so much
Ty, really helpful.
Thanks Juan! Glad you enjoyed it!
Thank you so much!
Glad it helped!
awesome!
Thanks :)
Can anyone manipulate server side cookies.
If you have it as an http only cookie, nope
thank you
Thanks
What if you want to fetch data on the server with these cookies? How would it work?
Hey Pedro! That’s exactly what I did in getServerSideProps, that runs server side. You’d access cookies in the exact same way in an API page function
bro you saved my ass thanks
Hi Hall, this is hendra from Indonesia. Is your course available on Udemy ? Your course is looks great, covered lots of stuff...
Hey Kurniawan! No, it's not on Udemy but you can get a purchasing power parity code here to make the price more reasonable for you next.leighhalliday.com/ppp
I'm getting this error on logout: Cannot set headers after they are sent to the client
Hmm... double check to ensure your backend doesn't have any errors... that's something I've noticed can cause it.
@@leighhalliday Yeah, I was sending res.json without retuning it
thank's alot
I'm so confused how the node server works in next.js. it's all single files for any route? What about secret routes?
Watching the entire app to help you :)
Hey Julia! Each one runs as a serverless function when it's deployed. You'd have to write code to guard access if certain routes are to be "secret"... by secret you mean authorized users only, right?
js-cookis return undefin
I think you should comment in your video that this is not how a login or logout should work and to be honest, I think using login and logout as the example was suboptimal. Someone new to all this might get a totally wrong impression. Good video otherwise.