A guide to cookies in Next.js

Editor’s Note: This article was updated on 3 July 2023 to include information about common issues and fixes associated with the sameSite cookie attribute. For additional information about browser cookies, see this guide.

Cookies are data blobs that our browsers unknowingly contain. While some are fervent invaders of privacy, others attempt to improve the browsing experience by keeping track of your browsing habits, preferences, and more. Cookies are useful in situations like authentication, improving the UX, quicker response times, and the list goes on.

In this article, we’ll explore two packages that will allow us to achieve setting cookies in a Next.js application and implement them into an actual use case. To follow along, head over to this GitHub repository. Let’s get started!

Jump ahead:

• Cookies: Boon or ban?
• Working with react-cookies in Next.js
  • Binding a function to a button
• Using the cookies-next package in Next.js
  • Implementing API routes
  • Accessing API routes from the frontend
• Common issues and fixes

Cookies: Boon or bane?

Cookies are little text files that websites place on users’ computers. Cookies have generated discussion in recent years and have both benefits and drawbacks. Cookies can remember user preferences and settings, which can improve your session and personalization of surfing for users. The ability of cookies to trace users’ online behavior, however, presents privacy issues. As a result, several websites have standards requiring them to display their biscuit usage and provide users with the option to opt-out.

Furthermore, a few browsers give users the choice to remove or delete cookies, which may assist in guarding their privacy. Cookies can be helpful for users and websites, but it’s important to abide by the rules and be aware of any privacy dangers. Users are becoming more cautious and switching to different browsers to help them track cookies and disable adverts. It is ultimately up to users and website administrators to use cookies wisely because they can be both beneficial and disadvantageous.

Later in this article, we’ll look at how to use cookies to keep an application’s state consistent. For example, cookies can be used to check if a user is authorized, to see if a user has subscribed to a feature, and to check if a user has paid for access to paywalled content Cookies can also be used to persist state in the application for a variety of purposes.

Working with react-cookies in Next.js

The first package we will explore is react-cookies. This package aims to help you load and save cookies within your React application. Let’s create a simple application that keeps track of registered users.

If you haven’t already, launch a Next.js application by typing the following command:

npx create-next-app --ts

Now, install react-cookie with the following code:

npm install react-cookie

To start using the Hooks, add the CookiesProvider component in the _app.tsx file, like so:

import type { AppProps } from 'next/app';
import { CookiesProvider } from 'react-cookie';

function MyApp({ Component, pageProps }: AppProps) {
  return (
    <CookiesProvider>
      <Component {...pageProps} />
    </CookiesProvider>
  );
}

export default MyApp;

The Hooks are now available from any part of your application. Start using it by importing the useCookies Hook, as shown below:

import { useCookies } from 'react-cookie';

We can now fetch, add, and remove cookies from the application. Let’s start off by adding a useEffect Hook to fetch all cookies on load:

import { useCookies } from 'react-cookie';

const Home: NextPage = () => {
  const [cookies, setCookie, removeCookie] = useCookies(['user']);

  useEffect(() => {
    console.log('Cookies: ', cookies);
  }, [cookies]);

  return (
  <div>...</div>
)}

For now, you shouldn’t be able to see any cookies. So, let’s create a function to set cookies using the setCookie() function:

import { useRouter } from 'next/router';

//...inside the default function
const router = useRouter();

const setCookieHandler = () => {
  setCookie('new-user', true, {
    path: '/',
  });

  router.replace("/");
};

The setCookie() function takes in three arguments: the key, the key-value, and some configuration choices. These choices include, MaxAge, Path, Domain, expires, etc. The path option was used in this case to allow the program to access the cookie from any location.

As you can see, we also used the useRouter() Hook to reload our page using the replace() method to avoid adding a URL entry into the history stack. It will just look like the page re-rendered!

As we move forward, remember that this tutorial is focused only on demonstrating the capabilities of the specific packages. Therefore, we will assume that you understand concepts like authentication flow. To learn more about authentication in Next.js, refer to this guide. You can also review authentication flows in this article.

Binding a function to a button

Next up, let’s bind this function to a button. Input the following code:

{!cookies['user'] && (
  <button onClick={setCookieHandler} className={styles.button}>
    Complete new user registration!
  </button>
)}

In this case, the button will only render if the cookie exists. Run the development server to see this in action. You can see this cookie visually using the dev tools by triggering Control+Shift+J and then selecting the Application section, as shown below:

Now, let’s remove the cookie to allow the user to sign out. First, write another function:

const removeCookieHandler = () => {
  removeCookie('new-user');

  router.replace("/");
};

Next bind it to another button that will only render if the cookie is available. What does that mean? The cookie will be available if the user is registered. Here’s what that will look like:

{cookies['new-user'] && (
  <button onClick={removeCookieHandler} className={styles.resetbutton}>
    Reset new user registration
  </button>
)}

With that done, let’s explore the second package, cookies-next.

Using the cookies-next package in Next.js

Moving forward, we will look at how to use the cookies-next package. This package fits more with the Next.js ecosystem because it can be used anywhere on the client side, on the server side through getServerSideProps, and even with Next.js API routes. Here are the two packages head-to-head:

Another surprising fact about cookies-next (this one’s for all the bundle-phobic developers) is that it’s almost half the size of react-cookie. Essentially, making it more desirable to use it in your next project!🎉

As tradition goes, let’s start off by installing cookies-next with the following command:

npm install cookies-next 

The cookies-next package comes inbuilt with similar functions to the react-cookies package. These functions can be used for setting and removing cookies. Let’s create handler functions for setting and removing cookies with the following code:

// adding cookies
const addCookie = () => {
  setCookie('user', true, {
    path: '/',
  });
  router.replace('/');
};

// removing cookies
const removeCookie = () => {
  deleteCookie('user', {
    path: '/',
  });
  router.replace('/');
};

With that done, you can test it by binding it to different buttons that render if the cookie exists. In addition to getServerSidePropsand API routes, cookies-next package can also be used on the server side of the application.

Let’s look at an example where the user receives some information, has it verified, and then sets a cookie to indicate the information’s legitimacy, all on an API route.

Implementing API routes

Go ahead and make a new API route inside ./pages/api/verify-otp.ts. Inside the file, create a basic handler function with the following code:

export default function handler (
  req: NextApiRequest,
  res: NextApiResponse
) {
  return;  
}

The cookie will be set to indicate the trustworthiness of the user and expire after a specific period. More specifically, it will expire if there is some type of verification, such as a database to check the credentials or some OTP logic. The handlerfunction is as follows:

if (
    req.method === 'POST' // only allow POST requests
  ) {
  // caputure the credentials required for verification from the request body
  const { name } = req.body;

  //   otp verification logic

  //   set cookie
  setCookie('authorize', true, {
    req,
    res,
    maxAge: 60 * 60 * 24 * 7, // 1 week
    path: '/',
  });

  //   respond with status and message
  return res.status(200).json({
    message: `${name} is authorized to access`,
    authorize: true,
    code: '20-0101-2092',
  });
}

Here, the cookie expires after a week and will require the user to re-verify again. On successful verification, the API responds with a status 200 message with relevant data that can be displayed in the frontend.

Accessing API routes from the frontend

Now, let’s try to access this route from the frontend. The function can be triggered only if the user is registered the first time. Create a function with the following code:

const verifyOTP = async (name: string) => {
  const response = await fetch('/api/verify-otp', {
    method: 'POST',
    body: JSON.stringify({ name }),
  });

  const data = await response.json();

  if (data.authorize) {
    setAuthorization(true);
    setLaunchCode(data.code);
  } else {
    setAuthorization(false);
    alert('Invalid OTP');
  }
};

We can use the useState Hook to store the data coming from the API route and render the button conditionally and based on the isAuthorized variable. Use the following code:

const [isAuthorized, setAuthorization] = useState(false);
const [launchCode, setLaunchCode] = useState('');

With this done, try out the code written so far. You can check if the cookie exists by opening up the dev tools and heading selecting the Application section, as shown below:

I attempted to make the example more entertaining by generating a random code at every login. It will also set a cookie on the API route. You can experiment with your own original ideas and try out something cooler! Here’s what my example looks like:

Common issues and fixes

The sameSite feature is an important attribute of cookies, but it can also create issues in production-level applications:

The sameSite feature merely indicates whether a cookie can be retrieved through a different website with a different origin. Ideally, this should be accurate as it offers just one layer of defense against cross-site attacks.

In order to determine whether the scheme and the last portion of the domain name match, the sameSite browser mechanism analyzes the destination URI and the request coming from the client:

Since the sameSite parameter is set to true by default, the cookies won’t be registered if you’re a developer who frequently uses another smartphone and connects via the private IP address that the development server is hosted on your localhost.

The domain attribute is a crucial, yet occasionally confusing, element of cookies. This attribute determines which domains can access the cookie. If no domains are specified, the cookie’s default domain assignment will be the one that originally produced it. This is why it’s advisable to set the domain attribute in cases where many sub-domains are attempting to access the same cookies:

Conclusion

Cookies are crucial to web development. The react-cookie and cookies-next packages are ideal for a variety of use cases because of their distinctive features and advantages. React-cookie is far more popular, providing simple-to-use APIs and great compatibility with React framework. In contrast, cookies-next, a relatively new package explicitly created for Next.js, offers server-side rendering capabilities and improved security measures.

No matter which package you select, it is essential to understand how cookies operate and how to use them safely to prevent any security issues. These two packages make it simple for developers to handle cookies in Next.js applications, making it simpler to customize UX and enhance website speed.