NextJS Auth: Where should the session cookie be set

[soscler]

From NextJS docs on authentication it is advised to set the session cookie on the server side. However in this the guide provided here, the cookies are set on the client side. What are the consequences of setting the cookie on client? Is it a security issue?

friendlyeats-web/nextjs-end/src/components/Header.jsx

Line 17 in 6bf6c0e

await setCookie("__session", idToken);

[raky291]

Yes, it's a security issue; we need to set the cookie on the server... the example should be updated to use best practices.