You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Initially, I planned to add an expiration of 5 hours to the locale
cookie for `next-intl@4` to comply with GDPR regulations. However, this
has the implication that if the browser remains open for longer than 5
hours, the cookie can be reset in the middle of a session.
Due to this, it seems more reasonable to not set an expiration at all,
turning the cookie into a session cookie. Session cookies expiry only
when a browser is closed. On mobile, this can be even more beneficial,
as browsers are rarely closed (the browser can clear cookies though if
memory is constrained).
Copy file name to clipboardexpand all lines: docs/src/pages/docs/routing.mdx
+3-4
Original file line number
Diff line number
Diff line change
@@ -473,11 +473,10 @@ In this case, only the locale prefix and a potentially [matching domain](#domain
473
473
474
474
### Locale cookie [#locale-cookie]
475
475
476
-
If a user changes the locale to a value that doesn't match the `accept-language` header, `next-intl` will set a cookie called `NEXT_LOCALE` that contains the most recently detected locale. This is used to [remember the user's locale](/docs/routing/middleware#locale-detection) preference for future requests.
476
+
If a user changes the locale to a value that doesn't match the `accept-language` header, `next-intl` will set a session cookie called `NEXT_LOCALE` that contains the most recently detected locale. This is used to [remember the user's locale](/docs/routing/middleware#locale-detection) preference for subsequent requests.
477
477
478
478
By default, the cookie will be configured with the following attributes:
479
479
480
-
1.[**`maxAge`**](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#max-agenumber): This value is set to 5 hours in order to be [GDPR-compliant](#locale-cookie-gdpr) out of the box.
481
480
2.[**`sameSite`**](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value): This value is set to `lax` so that the cookie can be set when coming from an external site.
482
481
3.[**`path`**](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value): This value is not set by default, but will use the value of your [`basePath`](#base-path) if configured.
<summary>Which `maxAge` value should I consider for GDPR compliance?</summary>
516
515
517
-
The [Article 29 Working Party opinion 04/2012](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf) provides a guideline for the expiration of cookies that are used to remember the user's language in section 3.6 "UI customization cookies".
516
+
The [Article 29 Working Party opinion 04/2012](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf) provides a guideline for the expiration of cookies that are used to remember the user's language in section 3.6 "UI customization cookies". In this policy, a language preference cookie set as a result of an explicit user action, such as using a language switcher, is allowed to remain active for "a few additional hours" after a browser session has ended.
518
517
519
-
In this policy, a language preference cookie set as a result of an explicit user action, such as using a language switcher, is allowed to remain active for "a few additional hours" after a browser session has ended. To be compliant out of the box, `next-intl`sets the `maxAge` value of the cookie to 5 hours.
518
+
To be compliant out of the box, `next-intl`does not set the `max-age` value of the cookie, making it a session cookie that expires when a browser is closed.
520
519
521
520
However, the Working Party also states that if additional information about the use of cookies is provided in a prominent location (e.g. a "uses cookies" notice next to the language switcher), the cookie can be configured to remember the user's preference for "a longer duration". If you're providing such a notice, you can consider increasing `maxAge` accordingly.
0 commit comments