@chemmangat/msal-next 5.2.1 → 5.3.1

package/CHANGELOG.md

@@ -2,7 +2,42 @@
 
 All notable changes to this project will be documented in this file.
 
-## [5.2.1] - 2026-04-07
+## [5.3.0] - 2026-04-07
+
+### 🐛 Bug Fixes
+
+#### Fix 1 — Auto-sync `msal.account` session cookie (no manual cookie code needed)
+
+`MsalAuthProvider` now automatically writes and clears the `msal.account` cookie on every auth event. The middleware works out of the box with zero manual setup.
+
+- `LOGIN_SUCCESS` → writes `msal.account` cookie (`{ homeAccountId, username, name }`, URL-encoded, `path=/; SameSite=Lax`)
+- `LOGOUT_SUCCESS` / `LOGOUT_END` → clears the cookie
+- Redirect flow (`handleRedirectPromise`) → writes cookie immediately after redirect completes
+- Existing cached account on init → restores cookie (handles browser restart with `localStorage` cache)
+
+#### Fix 2 — `setServerSessionCookie` no longer calls a non-existent API route
+
+The old implementation called `fetch('/api/auth/session')` which required an undocumented route that didn't exist. It now writes `document.cookie` directly — same format as Fix 1. The function signature changed from `async (account, accessToken?) => Promise<void>` to `(account) => void`.
+
+A new `clearServerSessionCookie()` helper is also exported from `@chemmangat/msal-next/server`.
+
+> As of v5.3.0 you rarely need to call either function manually — `MsalAuthProvider` handles the cookie automatically.
+
+#### Fix 3 — `useTokenRefresh` now reads real token expiry
+
+The hook previously hardcoded `expiresIn = 3600`. It now calls `instance.acquireTokenSilent` directly and reads `response.expiresOn` to calculate the actual remaining seconds. Falls back to `3600` if `expiresOn` is `null`.
+
+#### Fix 4 — `navigateToLoginRequestUrl` JSDoc default corrected
+
+The `@defaultValue` in `MsalAuthConfig` was documented as `true` but the actual default in `createMsalConfig` was `false`. Corrected to `@defaultValue false`.
+
+#### Fix 5 — No `/api/auth/session` route required
+
+All references to the non-existent `/api/auth/session` route have been removed. Cookie management is now entirely client-side via `document.cookie`.
+
+---
+
+
 
 ### 🐛 Bug Fix
 

package/dist/index.d.mts

@@ -167,7 +167,7 @@ interface MsalAuthConfig {
      * @remarks
      * If true, redirects to the page that initiated login after successful auth.
      *
-     * @defaultValue true
+     * @defaultValue false
      */
     navigateToLoginRequestUrl?: boolean;
     /**
@@ -1037,6 +1037,11 @@ interface GraphApiOptions extends RequestInit {
      * @default false
      */
     debug?: boolean;
+    /**
+     * Expected response type. Use 'blob' for binary data like images.
+     * @default 'json'
+     */
+    responseType?: 'json' | 'blob' | 'text';
 }
 interface UseGraphApiReturn {
     /**

package/dist/index.d.ts

@@ -167,7 +167,7 @@ interface MsalAuthConfig {
      * @remarks
      * If true, redirects to the page that initiated login after successful auth.
      *
-     * @defaultValue true
+     * @defaultValue false
      */
     navigateToLoginRequestUrl?: boolean;
     /**
@@ -1037,6 +1037,11 @@ interface GraphApiOptions extends RequestInit {
      * @default false
      */
     debug?: boolean;
+    /**
+     * Expected response type. Use 'blob' for binary data like images.
+     * @default 'json'
+     */
+    responseType?: 'json' | 'blob' | 'text';
 }
 interface UseGraphApiReturn {
     /**

package/dist/index.js

@@ -46,10 +46,10 @@ __export(client_exports, {
   retryWithBackoff: () => retryWithBackoff,
   safeJsonParse: () => safeJsonParse,
   sanitizeError: () => sanitizeError,
-  useAccount: () => import_msal_react4.useAccount,
+  useAccount: () => import_msal_react5.useAccount,
   useGraphApi: () => useGraphApi,
-  useIsAuthenticated: () => import_msal_react4.useIsAuthenticated,
-  useMsal: () => import_msal_react4.useMsal,
+  useIsAuthenticated: () => import_msal_react5.useIsAuthenticated,
+  useMsal: () => import_msal_react5.useMsal,
   useMsalAuth: () => useMsalAuth,
   useMultiAccount: () => useMultiAccount,
   useRoles: () => useRoles,
@@ -66,7 +66,7 @@ __export(client_exports, {
 module.exports = __toCommonJS(client_exports);
 
 // src/components/MsalAuthProvider.tsx
-var import_msal_react2 = require("@azure/msal-react");
+var import_msal_react3 = require("@azure/msal-react");
 var import_msal_browser3 = require("@azure/msal-browser");
 var import_react3 = require("react");
 
@@ -673,6 +673,7 @@ Note: Environment variables starting with NEXT_PUBLIC_ are exposed to the browse
 
 // src/hooks/useTokenRefresh.ts
 var import_react2 = require("react");
+var import_msal_react2 = require("@azure/msal-react");
 
 // src/hooks/useMsalAuth.ts
 var import_msal_react = require("@azure/msal-react");
@@ -851,7 +852,8 @@ function useTokenRefresh(options = {}) {
     onRefresh,
     onError
   } = options;
-  const { isAuthenticated, account, acquireTokenSilent } = useMsalAuth();
+  const { isAuthenticated, account } = useMsalAuth();
+  const { instance } = (0, import_msal_react2.useMsal)();
   const intervalRef = (0, import_react2.useRef)(null);
   const lastRefreshRef = (0, import_react2.useRef)(null);
   const expiresInRef = (0, import_react2.useRef)(null);
@@ -860,23 +862,27 @@ function useTokenRefresh(options = {}) {
       return;
     }
     try {
-      await acquireTokenSilent(scopes);
+      const response = await instance.acquireTokenSilent({
+        scopes,
+        account,
+        forceRefresh: false
+      });
       lastRefreshRef.current = /* @__PURE__ */ new Date();
-      const expiresIn = 3600;
+      const expiresIn = response.expiresOn ? Math.max(0, response.expiresOn.getTime() / 1e3 - Date.now() / 1e3) : 3600;
       expiresInRef.current = expiresIn;
       onRefresh?.(expiresIn);
     } catch (error) {
       console.error("[TokenRefresh] Failed to refresh token:", error);
       onError?.(error);
     }
-  }, [isAuthenticated, account, acquireTokenSilent, scopes, onRefresh, onError]);
+  }, [isAuthenticated, account, instance, scopes, onRefresh, onError]);
   (0, import_react2.useEffect)(() => {
     if (!enabled || !isAuthenticated) {
       return;
     }
     refresh();
     intervalRef.current = setInterval(() => {
-      if (!expiresInRef.current) {
+      if (expiresInRef.current === null) {
         return;
       }
       const timeSinceRefresh = lastRefreshRef.current ? (Date.now() - lastRefreshRef.current.getTime()) / 1e3 : 0;
@@ -1009,6 +1015,23 @@ function validateTenantAccess(account, config) {
 // src/components/MsalAuthProvider.tsx
 var import_jsx_runtime = require("react/jsx-runtime");
 var globalMsalInstance = null;
+function writeMsalSessionCookie(account) {
+  try {
+    const data = encodeURIComponent(JSON.stringify({
+      homeAccountId: account.homeAccountId,
+      username: account.username,
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
+  } catch {
+  }
+}
+function clearMsalSessionCookie() {
+  try {
+    document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+  } catch {
+  }
+}
 function getMsalInstance() {
   return globalMsalInstance;
 }
@@ -1058,6 +1081,7 @@ function MsalAuthProvider({
             }
             if (response.account) {
               instance.setActiveAccount(response.account);
+              writeMsalSessionCookie(response.account);
               if (config.multiTenant) {
                 const validation = validateTenantAccess(response.account, config.multiTenant);
                 if (!validation.allowed) {
@@ -1103,6 +1127,7 @@ function MsalAuthProvider({
         const accounts = instance.getAllAccounts();
         if (accounts.length > 0 && !instance.getActiveAccount()) {
           instance.setActiveAccount(accounts[0]);
+          writeMsalSessionCookie(accounts[0]);
         }
         const loggingEnabled = config.enableLogging || false;
         instance.addEventCallback((event) => {
@@ -1111,6 +1136,7 @@ function MsalAuthProvider({
             const account = "account" in payload ? payload.account : payload;
             if (account) {
               instance.setActiveAccount(account);
+              writeMsalSessionCookie(account);
             }
             if (loggingEnabled) {
               console.log("[MSAL] Login successful:", account?.username);
@@ -1122,10 +1148,14 @@ function MsalAuthProvider({
           }
           if (event.eventType === import_msal_browser3.EventType.LOGOUT_SUCCESS) {
             instance.setActiveAccount(null);
+            clearMsalSessionCookie();
             if (loggingEnabled) {
               console.log("[MSAL] Logout successful");
             }
           }
+          if (import_msal_browser3.EventType.LOGOUT_END !== void 0 && event.eventType === import_msal_browser3.EventType.LOGOUT_END) {
+            clearMsalSessionCookie();
+          }
           if (event.eventType === import_msal_browser3.EventType.ACQUIRE_TOKEN_SUCCESS) {
             const payload = event.payload;
             if (payload?.account && !instance.getActiveAccount()) {
@@ -1157,7 +1187,7 @@ function MsalAuthProvider({
   if (!msalInstance) {
     return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_jsx_runtime.Fragment, { children: loadingComponent || /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { children: "Loading authentication..." }) });
   }
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_msal_react2.MsalProvider, { instance: msalInstance, children: [
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_msal_react3.MsalProvider, { instance: msalInstance, children: [
     autoRefreshToken && /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
       TokenRefreshManager,
       {
@@ -1400,6 +1430,7 @@ function useGraphApi() {
         scopes = ["User.Read"],
         version = "v1.0",
         debug = false,
+        responseType = "json",
         ...fetchOptions
       } = options;
       try {
@@ -1425,9 +1456,16 @@ function useGraphApi() {
         if (response.status === 204 || response.headers.get("content-length") === "0") {
           return null;
         }
-        const data = await response.json();
+        let data;
+        if (responseType === "blob") {
+          data = await response.blob();
+        } else if (responseType === "text") {
+          data = await response.text();
+        } else {
+          data = await response.json();
+        }
         if (debug) {
-          console.log("[GraphAPI] Response:", data);
+          console.log("[GraphAPI] Response:", responseType === "blob" ? "[Blob]" : data);
         }
         return data;
       } catch (error) {
@@ -1535,11 +1573,9 @@ function useUserProfile() {
       try {
         const photoBlob = await graph.get("/me/photo/$value", {
           scopes: ["User.Read"],
-          headers: {
-            "Content-Type": "image/jpeg"
-          }
+          responseType: "blob"
         });
-        if (photoBlob) {
+        if (photoBlob instanceof Blob && photoBlob.size > 0) {
           photoUrl = URL.createObjectURL(photoBlob);
         }
       } catch (photoError) {
@@ -1927,11 +1963,11 @@ var ErrorBoundary = class extends import_react10.Component {
 };
 
 // src/hooks/useMultiAccount.ts
-var import_msal_react3 = require("@azure/msal-react");
+var import_msal_react4 = require("@azure/msal-react");
 var import_msal_browser4 = require("@azure/msal-browser");
 var import_react11 = require("react");
 function useMultiAccount(defaultScopes = ["User.Read"]) {
-  const { instance, accounts, inProgress } = (0, import_msal_react3.useMsal)();
+  const { instance, accounts, inProgress } = (0, import_msal_react4.useMsal)();
   const [activeAccount, setActiveAccount] = (0, import_react11.useState)(
     instance.getActiveAccount()
   );
@@ -3166,7 +3202,7 @@ function withPageAuth(Component2, authConfig, globalConfig) {
 }
 
 // src/client.ts
-var import_msal_react4 = require("@azure/msal-react");
+var import_msal_react5 = require("@azure/msal-react");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AccountList,

package/dist/index.mjs

@@ -614,6 +614,7 @@ Note: Environment variables starting with NEXT_PUBLIC_ are exposed to the browse
 
 // src/hooks/useTokenRefresh.ts
 import { useEffect, useRef, useCallback as useCallback2 } from "react";
+import { useMsal as useMsal2 } from "@azure/msal-react";
 
 // src/hooks/useMsalAuth.ts
 import { useMsal, useAccount } from "@azure/msal-react";
@@ -792,7 +793,8 @@ function useTokenRefresh(options = {}) {
     onRefresh,
     onError
   } = options;
-  const { isAuthenticated, account, acquireTokenSilent } = useMsalAuth();
+  const { isAuthenticated, account } = useMsalAuth();
+  const { instance } = useMsal2();
   const intervalRef = useRef(null);
   const lastRefreshRef = useRef(null);
   const expiresInRef = useRef(null);
@@ -801,23 +803,27 @@ function useTokenRefresh(options = {}) {
       return;
     }
     try {
-      await acquireTokenSilent(scopes);
+      const response = await instance.acquireTokenSilent({
+        scopes,
+        account,
+        forceRefresh: false
+      });
       lastRefreshRef.current = /* @__PURE__ */ new Date();
-      const expiresIn = 3600;
+      const expiresIn = response.expiresOn ? Math.max(0, response.expiresOn.getTime() / 1e3 - Date.now() / 1e3) : 3600;
       expiresInRef.current = expiresIn;
       onRefresh?.(expiresIn);
     } catch (error) {
       console.error("[TokenRefresh] Failed to refresh token:", error);
       onError?.(error);
     }
-  }, [isAuthenticated, account, acquireTokenSilent, scopes, onRefresh, onError]);
+  }, [isAuthenticated, account, instance, scopes, onRefresh, onError]);
   useEffect(() => {
     if (!enabled || !isAuthenticated) {
       return;
     }
     refresh();
     intervalRef.current = setInterval(() => {
-      if (!expiresInRef.current) {
+      if (expiresInRef.current === null) {
         return;
       }
       const timeSinceRefresh = lastRefreshRef.current ? (Date.now() - lastRefreshRef.current.getTime()) / 1e3 : 0;
@@ -950,6 +956,23 @@ function validateTenantAccess(account, config) {
 // src/components/MsalAuthProvider.tsx
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 var globalMsalInstance = null;
+function writeMsalSessionCookie(account) {
+  try {
+    const data = encodeURIComponent(JSON.stringify({
+      homeAccountId: account.homeAccountId,
+      username: account.username,
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
+  } catch {
+  }
+}
+function clearMsalSessionCookie() {
+  try {
+    document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+  } catch {
+  }
+}
 function getMsalInstance() {
   return globalMsalInstance;
 }
@@ -999,6 +1022,7 @@ function MsalAuthProvider({
             }
             if (response.account) {
               instance.setActiveAccount(response.account);
+              writeMsalSessionCookie(response.account);
               if (config.multiTenant) {
                 const validation = validateTenantAccess(response.account, config.multiTenant);
                 if (!validation.allowed) {
@@ -1044,6 +1068,7 @@ function MsalAuthProvider({
         const accounts = instance.getAllAccounts();
         if (accounts.length > 0 && !instance.getActiveAccount()) {
           instance.setActiveAccount(accounts[0]);
+          writeMsalSessionCookie(accounts[0]);
         }
         const loggingEnabled = config.enableLogging || false;
         instance.addEventCallback((event) => {
@@ -1052,6 +1077,7 @@ function MsalAuthProvider({
             const account = "account" in payload ? payload.account : payload;
             if (account) {
               instance.setActiveAccount(account);
+              writeMsalSessionCookie(account);
             }
             if (loggingEnabled) {
               console.log("[MSAL] Login successful:", account?.username);
@@ -1063,10 +1089,14 @@ function MsalAuthProvider({
           }
           if (event.eventType === EventType.LOGOUT_SUCCESS) {
             instance.setActiveAccount(null);
+            clearMsalSessionCookie();
             if (loggingEnabled) {
               console.log("[MSAL] Logout successful");
             }
           }
+          if (EventType.LOGOUT_END !== void 0 && event.eventType === EventType.LOGOUT_END) {
+            clearMsalSessionCookie();
+          }
           if (event.eventType === EventType.ACQUIRE_TOKEN_SUCCESS) {
             const payload = event.payload;
             if (payload?.account && !instance.getActiveAccount()) {
@@ -1341,6 +1371,7 @@ function useGraphApi() {
         scopes = ["User.Read"],
         version = "v1.0",
         debug = false,
+        responseType = "json",
         ...fetchOptions
       } = options;
       try {
@@ -1366,9 +1397,16 @@ function useGraphApi() {
         if (response.status === 204 || response.headers.get("content-length") === "0") {
           return null;
         }
-        const data = await response.json();
+        let data;
+        if (responseType === "blob") {
+          data = await response.blob();
+        } else if (responseType === "text") {
+          data = await response.text();
+        } else {
+          data = await response.json();
+        }
         if (debug) {
-          console.log("[GraphAPI] Response:", data);
+          console.log("[GraphAPI] Response:", responseType === "blob" ? "[Blob]" : data);
         }
         return data;
       } catch (error) {
@@ -1476,11 +1514,9 @@ function useUserProfile() {
       try {
         const photoBlob = await graph.get("/me/photo/$value", {
           scopes: ["User.Read"],
-          headers: {
-            "Content-Type": "image/jpeg"
-          }
+          responseType: "blob"
         });
-        if (photoBlob) {
+        if (photoBlob instanceof Blob && photoBlob.size > 0) {
           photoUrl = URL.createObjectURL(photoBlob);
         }
       } catch (photoError) {
@@ -1868,11 +1904,11 @@ var ErrorBoundary = class extends Component {
 };
 
 // src/hooks/useMultiAccount.ts
-import { useMsal as useMsal2 } from "@azure/msal-react";
+import { useMsal as useMsal3 } from "@azure/msal-react";
 import { InteractionStatus as InteractionStatus2 } from "@azure/msal-browser";
 import { useCallback as useCallback5, useMemo as useMemo2, useState as useState5, useEffect as useEffect7 } from "react";
 function useMultiAccount(defaultScopes = ["User.Read"]) {
-  const { instance, accounts, inProgress } = useMsal2();
+  const { instance, accounts, inProgress } = useMsal3();
   const [activeAccount, setActiveAccount] = useState5(
     instance.getActiveAccount()
   );
@@ -3107,7 +3143,7 @@ function withPageAuth(Component2, authConfig, globalConfig) {
 }
 
 // src/client.ts
-import { useMsal as useMsal3, useIsAuthenticated, useAccount as useAccount2 } from "@azure/msal-react";
+import { useMsal as useMsal4, useIsAuthenticated, useAccount as useAccount2 } from "@azure/msal-react";
 export {
   AccountList,
   AccountSwitcher,
@@ -3137,7 +3173,7 @@ export {
   useAccount2 as useAccount,
   useGraphApi,
   useIsAuthenticated,
-  useMsal3 as useMsal,
+  useMsal4 as useMsal,
   useMsalAuth,
   useMultiAccount,
   useRoles,

package/dist/server.d.mts

@@ -41,14 +41,33 @@ interface ServerSession {
  */
 declare function getServerSession(): Promise<ServerSession>;
 /**
- * Helper to set server session in cookies (call from client-side after auth)
+ * Writes the `msal.account` session cookie directly via `document.cookie`.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ *
+ * As of v5.3.0 this is no longer necessary for most apps — `MsalAuthProvider`
+ * automatically writes and clears the cookie on every login/logout event.
+ * Only call this manually if you need to set the cookie outside of the normal
+ * MSAL auth flow (e.g. after a silent SSO check in a custom component).
  *
  * @example
  * ```tsx
- * // After successful login
- * await setServerSessionCookie(account, accessToken);
+ * 'use client';
+ * import { setServerSessionCookie } from '@chemmangat/msal-next/server';
+ *
+ * // After a custom auth event:
+ * setServerSessionCookie(account);
  * ```
  */
-declare function setServerSessionCookie(account: any, accessToken?: string): Promise<void>;
+declare function setServerSessionCookie(account: any): void;
+/**
+ * Clears the `msal.account` session cookie.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ * As of v5.3.0 this is handled automatically by `MsalAuthProvider` on logout.
+ */
+declare function clearServerSessionCookie(): void;
 
-export { type ServerSession, getServerSession, setServerSessionCookie };
+export { type ServerSession, clearServerSessionCookie, getServerSession, setServerSessionCookie };

package/dist/server.d.ts

@@ -41,14 +41,33 @@ interface ServerSession {
  */
 declare function getServerSession(): Promise<ServerSession>;
 /**
- * Helper to set server session in cookies (call from client-side after auth)
+ * Writes the `msal.account` session cookie directly via `document.cookie`.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ *
+ * As of v5.3.0 this is no longer necessary for most apps — `MsalAuthProvider`
+ * automatically writes and clears the cookie on every login/logout event.
+ * Only call this manually if you need to set the cookie outside of the normal
+ * MSAL auth flow (e.g. after a silent SSO check in a custom component).
  *
  * @example
  * ```tsx
- * // After successful login
- * await setServerSessionCookie(account, accessToken);
+ * 'use client';
+ * import { setServerSessionCookie } from '@chemmangat/msal-next/server';
+ *
+ * // After a custom auth event:
+ * setServerSessionCookie(account);
  * ```
  */
-declare function setServerSessionCookie(account: any, accessToken?: string): Promise<void>;
+declare function setServerSessionCookie(account: any): void;
+/**
+ * Clears the `msal.account` session cookie.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ * As of v5.3.0 this is handled automatically by `MsalAuthProvider` on logout.
+ */
+declare function clearServerSessionCookie(): void;
 
-export { type ServerSession, getServerSession, setServerSessionCookie };
+export { type ServerSession, clearServerSessionCookie, getServerSession, setServerSessionCookie };

package/dist/server.js

@@ -63,27 +63,29 @@ async function getServerSession() {
     };
   }
 }
-async function setServerSessionCookie(account, accessToken) {
+function setServerSessionCookie(account) {
+  if (typeof document === "undefined") {
+    console.warn("[ServerSession] setServerSessionCookie must be called in a browser (Client Component) context.");
+    return;
+  }
   try {
-    const accountData = {
+    const data = encodeURIComponent(JSON.stringify({
       homeAccountId: account.homeAccountId,
       username: account.username,
-      name: account.name
-    };
-    await fetch("/api/auth/session", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        account: accountData,
-        token: accessToken
-      })
-    });
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
   } catch (error) {
     console.error("[ServerSession] Failed to set session cookie:", error);
   }
 }
+function clearServerSessionCookie() {
+  if (typeof document === "undefined") {
+    return;
+  }
+  document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+}
 
+exports.clearServerSessionCookie = clearServerSessionCookie;
 exports.getServerSession = getServerSession;
 exports.setServerSessionCookie = setServerSessionCookie;

package/dist/server.mjs

@@ -61,26 +61,27 @@ async function getServerSession() {
     };
   }
 }
-async function setServerSessionCookie(account, accessToken) {
+function setServerSessionCookie(account) {
+  if (typeof document === "undefined") {
+    console.warn("[ServerSession] setServerSessionCookie must be called in a browser (Client Component) context.");
+    return;
+  }
   try {
-    const accountData = {
+    const data = encodeURIComponent(JSON.stringify({
       homeAccountId: account.homeAccountId,
       username: account.username,
-      name: account.name
-    };
-    await fetch("/api/auth/session", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        account: accountData,
-        token: accessToken
-      })
-    });
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
   } catch (error) {
     console.error("[ServerSession] Failed to set session cookie:", error);
   }
 }
+function clearServerSessionCookie() {
+  if (typeof document === "undefined") {
+    return;
+  }
+  document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+}
 
-export { getServerSession, setServerSessionCookie };
+export { clearServerSessionCookie, getServerSession, setServerSessionCookie };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chemmangat/msal-next",
-  "version": "5.2.1",
+  "version": "5.3.1",
   "description": "Production-ready Microsoft/Azure AD authentication for Next.js App Router. Zero-config setup, TypeScript-first, multi-account support, auto token refresh. The easiest way to add Microsoft login to your Next.js app.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",