HttpOnly cookies are exposed when cookies.getAll() is passed

Question

colinclerk opened this issue 8 months ago · comments

The technique used in the demo is dangerous, since HttpOnly cookies will be written to the document body:
https://github.com/moshest/next-client-cookies/blob/main/demo/app/layout.tsx#L17

Instead, an explicit allowlist can be used to specify which cookie names get passed to the provider.

Moshe Simantov · Answer 1 · Mon Nov 13 2023 23:29:56 GMT+0800 (China Standard Time)

I guess we don't need to pass the cookies to the client. We just need a place to store then while rending on the server-side.

Moshe Simantov · Answer 2 · Fri Nov 17 2023 00:14:12 GMT+0800 (China Standard Time)