Next Cookies the same for all users on Vercel deployment
Unanswered
Spectacled Caiman posted this in #help-forum
Spectacled CaimanOP
Hello all,
I am trying to use Next JS cookies to store the user's username after they login, but I have found that this means all users of my deployment have access to these cookies. I want the cookies to be device-specific, rather than applicable to the domain which many users are accessing. I assume this is because the cookies are http only and therefore stored on the server rather than the frontend, but I am wondering what ways around this there are?
Thanks in advance
I am trying to use Next JS cookies to store the user's username after they login, but I have found that this means all users of my deployment have access to these cookies. I want the cookies to be device-specific, rather than applicable to the domain which many users are accessing. I assume this is because the cookies are http only and therefore stored on the server rather than the frontend, but I am wondering what ways around this there are?
Thanks in advance
6 Replies
Nope cookies are device specific, this is also true for HTTP-only cookies
HTTP-only cookies are simply not available to client-side JavaScript code, so they are not considered by privacy solutions like Safari ITP and are not subject to XSS attack (but they are subject to CSRF attacks, basically forcing your site to sent it's cookies using a hacked subdomain of your main domain)
so you can store a username in a cookie
what led you to think the cookie would be shared across users ?
Spectacled CaimanOP
Just the error I am getting made me think that. As soon as one person on the domain registers, it doesn't give out any more codes, even if someone from a new device connects. This led me to believe it was some issue with cache/cookies. It works fine locally so it is likely something to do with Vercel; I will have a check for other issues. Thanks a lot
Spectacled CaimanOP
Fixed.
I had a GET request that should have been a POST so it was cacheing when it shouldn't have been. Doh
I had a GET request that should have been a POST so it was cacheing when it shouldn't have been. Doh