Cookie names are not URI encoded in adapter-nextjs

[tomcollins]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify Gen 2

Environment information

Details

  System:
    OS: macOS 26.2
    CPU: (12) arm64 Apple M2 Pro
    Memory: 2.40 GB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 24.10.0 - /Users/<NAME>/.nvm/versions/node/v24.10.0/bin/node
    npm: 11.6.1 - /Users/<NAME>/.nvm/versions/node/v24.10.0/bin/npm
    pnpm: 10.16.1 - /opt/homebrew/bin/pnpm
  Browsers:
    Chrome: 143.0.7499.170
    Edge: 143.0.3650.96
    Safari: 26.2
  npmPackages:
    @ampproject/toolbox-optimizer:  undefined ()
    @apollo/client: ^4.0.9 => 4.0.11
    @apollo/client-integration-nextjs: ^0.14.3 => 0.14.3
    @aws-amplify/adapter-nextjs: ^1.6.12 => 1.6.12
    @aws-amplify/adapter-nextjs/api:  undefined ()
    @aws-amplify/adapter-nextjs/data:  undefined ()
    @aws-amplify/backend: ^1.16.1 => 1.19.0
    @aws-amplify/backend-cli: ^1.8.0 => 1.8.1
    @aws-sdk/client-sts: ^3.901.0 => 3.957.0 (3.621.0, 3.622.0, 3.777.0, 3.624.0)
    @babel/code-frame:  undefined ()
    @babel/core:  undefined ()
    @babel/runtime:  7.27.0
    @edge-runtime/cookies:  6.0.0
    @edge-runtime/ponyfill:  4.0.0
    @edge-runtime/primitives:  6.0.0
    @eslint/eslintrc: ^3 => 3.3.3
    @hapi/accept:  undefined ()
    @mswjs/interceptors:  undefined ()
    @napi-rs/triples:  undefined ()
    @next/font:  undefined ()
    @opentelemetry/api:  undefined ()
    @types/d3: ^7.4.3 => 7.4.3
    @types/mdx: ^2.0.13 => 2.0.13
    @types/node: ^20.19.9 => 20.19.27
    @types/react: ^19 => 19.2.7
    @types/react-dom: ^19 => 19.2.3
    @vercel/nft:  undefined ()
    @vercel/og:  0.7.2
    acorn:  undefined ()
    amphtml-validator:  undefined ()
    anser:  undefined ()
    assert:  undefined ()
    async-retry:  undefined ()
    async-sema:  undefined ()
    aws-amplify: ^6.15.9 => 6.15.9
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/adapter-core/internals:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/internals:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    aws-sigv4-fetch: ^4.4.1 => 4.4.1
    aws4-axios: ^3.4.0 => 3.4.0
    axios: ^1.12.2 => 1.13.2
    babel-packages:  undefined ()
    browserify-zlib:  undefined ()
    browserslist:  undefined ()
    buffer:  undefined ()
    busboy:  undefined ()
    bytes:  undefined ()
    ci-info:  undefined ()
    cli-select:  undefined ()
    client-only:  0.0.1
    commander:  undefined ()
    comment-json:  undefined ()
    compression:  undefined ()
    conf:  undefined ()
    constants-browserify:  undefined ()
    content-disposition:  undefined ()
    content-type:  undefined ()
    cookie:  undefined ()
    cross-spawn:  undefined ()
    crypto-browserify:  undefined ()
    css.escape:  undefined ()
    d3: ^7.9.0 => 7.9.0
    data-uri-to-buffer:  undefined ()
    debug:  undefined ()
    devalue:  undefined ()
    domain-browser:  undefined ()
    edge-runtime:  undefined ()
    eslint: ^9 => 9.39.2
    eslint-config-next: 15.4.4 => 15.4.4
    events:  undefined ()
    find-up:  undefined ()
    fresh:  undefined ()
    glob: ^11.0.3 => undefined (7.2.3, 10.5.0, 11.1.0, )
    gzip-size:  undefined ()
    http-proxy:  undefined ()
    http-proxy-agent:  undefined ()
    https-browserify:  undefined ()
    https-proxy-agent:  undefined ()
    icss-utils:  undefined ()
    ignore-loader:  undefined ()
    image-size:  undefined ()
    is-animated:  undefined ()
    is-docker:  undefined ()
    is-wsl:  undefined ()
    jest-worker:  undefined ()
    json5:  undefined ()
    jsonwebtoken:  undefined ()
    loader-runner:  undefined ()
    loader-utils:  undefined ()
    lodash.curry:  undefined ()
    lru-cache:  undefined ()
    mini-css-extract-plugin:  undefined ()
    nanoid:  undefined ()
    native-url:  undefined ()
    neo-async:  undefined ()
    next: ^15.4.10 => 15.5.9
    next-auth: ^4.24.10 => 4.24.13
    next-images: ^1.8.5 => 1.8.5
    node-html-parser:  undefined ()
    ora:  undefined ()
    os-browserify:  undefined ()
    p-limit:  undefined ()
    p-queue:  undefined ()
    path-browserify:  undefined ()
    path-to-regexp:  undefined ()
    picomatch:  undefined ()
    punycode:  undefined ()
    querystring-es3:  undefined ()
    raw-body:  undefined ()
    react: 19.2.3 => 19.2.3 (18.3.1, 19.1.0)
    react-builtin:  undefined ()
    react-dom: 19.2.3 => 19.2.3 (18.3.1, 19.1.0)
    react-is:  19.2.0-canary-0bdb9206-20250818
    react-refresh:  0.12.0
    regenerator-runtime:  0.13.4
    sass: ^1.89.2 => 1.97.1 ()
    stream-http:  undefined ()
    string-hash:  undefined ()
    string_decoder:  undefined ()
    strip-ansi:  undefined ()
    superstruct:  undefined ()
    tar:  undefined ()
    terser:  undefined ()
    text-table:  undefined ()
    timers-browserify:  undefined ()
    tsx: ^4.20.3 => 4.21.0 (4.19.4)
    tty-browserify:  undefined ()
    typescript: ^5.9.3 => 5.9.3 (4.4.4, 4.9.5)
  npmGlobalPackages:
    corepack: 0.34.0
    npm: 11.6.1

Describe the bug

Cognito auth cookie names may include an email address e.g. CognitoIdentityServiceProvider.XXXXXXXXXXX.My_Name@example.com.accessToken

The @ is not encoded during the sign-in-callback handler

The outcome of this issue is that adapter-nextjs is unable to read the accessToken, idToken and refreshToken cookies as the unencoded cookie name does not match the expected value.

The cookie name should be encoded e.g. CognitoIdentityServiceProvider.XXXXXXXXXXX.My_Name%40example.com.accessToken

---

The cookies are set here:

amplify-js/packages/adapter-nextjs/src/auth/handlers/handleSignInCallbackRequestForPagesRouter.ts

Lines 101 to 108 in adcef05

	appendSetCookieHeadersToNextApiResponse(
	response,
	createTokenCookies({
	tokensPayload,
	userPoolClientId,
	}),
	createTokenCookiesSetOptions(setCookieOptions, origin),
	);

I have followed the control flow and can not see any encoding of the name or values before being included in the Set-Cookie header.

---

When the cookies are read by the adaptor the names are always encoded first e.g.

amplify-js/packages/adapter-nextjs/src/utils/createCookieStorageAdapterFromNextServerContext.ts

Line 172 in adcef05

return cookieStore.get(ensureEncodedForJSCookie(name));

So the get never returns a value, even though the cookie is set.

---

I modified serialiseCookie.ts to encode the name and value resulting in the cookies being read correctly.

const serializeCookie = (name, value, options) => `${encodeURIComponent(name)}=${encodeURIComponent(value)};${options ? serializeSetCookieOptions(options) : ''}`;

Expected behavior

Cookie names are encoded.

Cognito auth cookies that have email addresses in the name can be read correctly.

Reproduction steps

1. Setup adaptor-nextjs with a configuration that includes an email address in the cookie name
2. Authenticate and trigger the sign-in-callback handler
3. Check if the client is authenticated

Code Snippet

// Put your code below this line.

Log output

Details

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[sarayev]

Hi @tomcollins,

Happy Belated New Year 🎉!

I'm trying to reproduce the issue on my end. I my first attempts, all the cookie names I'getting from Cognito are without @ sign. I'll continue to reproduce the issue on my end. In the meantime, would you mind sharing how your Cognito userpool set up?

[tomcollins]

Hi @sarayev and HNY to you also. Thanks for picking this up.

We use cognito with Microsoft EntraID, which returns an email address for the authenticated users. We use this email address as part of the Cognito userpool userName.

You could simulate this by manually creating a userpool user with an email address as the username.

My integration is working locally end-to-end using my modified version of serialiseCookie.ts.

[sarayev]

Hi @tomcollins ,

Thanks for providing details about the userpool set up. I've opened a pull request to fix this issue. I'll provide an update here once it gets shipped.

[sarayev]

Hi @tomcollins ,

This issue should be fixed in aws-amplify@6.15.10 release. You can find release notes here.

Closing this issue now, feel free to open a new issue if the problem still persists or you face a different issue.

Thanks!