Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js.
Use HttpOnly Cookies for token storage. Never use LocalStorage or sessionStorage.
Implementation Guidelines
Token Storage: Strictly use HttpOnly, Secure cookies with SameSite: 'Lax' or 'Strict'. Set reasonable maxAge (e.g., 86400). Never store access tokens in localStorage or sessionStorage (XSS-vulnerable). LocalStorage causes hydration issues in Server Components.
Access Management: Read and verify tokens in Next.js Middleware (middleware.ts) for edge-side redirection and route protection.
Next.js 15+ Async: cookies() Promise from next/headers and must awaited.
Library Selection: Prefer next-auth (Auth.js) or Clerk for social logins and session management.
Data Access: Always use DAL (Data Access Layer) to validate credentials and verify cookie presence before rendering.
CSRF Protection: Guard all Server Actions and Route Handlers by verifying Origin/Referer headers.
User Verification: Use await auth() (Auth.js) or custom getSession() helper in Server Components.