Unexpected middleware/cookies() behavior #82952
Description
Link to the code that reproduces this issue
https://codesandbox.io/p/devbox/ztcf4r
To Reproduce
middleware.js v1
const response = NextResponse.next();
response.cookies.set({name: "session", *variables*});
return response;
Can access session with cookies() in the same request even though the cookie was never set or included in the browser.
middleware.js v2
const cookieStore = await cookies();
response.cookies.set({name: "session", *variables*});
return NextResponse.next();
Cannot access session with cookies() if cookies are blocked
Current vs. Expected behavior
Current: You can access cookies set in the middleware that were blocked and never set in the browser
Expected: If cookies are blocked, then it should not be possible to access them through cookies().
Provide environment information
Binaries:
Node: 22.13.1
Relevant Packages:
next: 15.5.0 // Latest available version is detected (15.5.0).
eslint-config-next: 15.5.0
react: 19.1.1
react-dom: 19.1.1
typescript: 5.8.3
Next.js Config:
output: N/AWhich area(s) are affected? (Select all that apply)
Cookies
Which stage(s) are affected? (Select all that apply)
next dev (local), next build (local), next start (local)
Additional context
No response