DEV Community

Discussion on: How I Fixed JWT Security Flaws in 3 Steps

byrro profile image
Renato Byrro Author • Edited on

Hi Sir, that is indeed something very important to consider, thanks for adding to the discussion!

My suggestion would be to set a relatively short life for the cookie so that it expires automatically, without an explicit logOut request comes to your backend. You can always renew the cookie expiration datetime when the user keeps logged and interacting with your app, to avoid disrupting the login session.

The recommended expiration time will depend on the use case.

If you're dealing with financial funds, for example, perhaps a few minutes would be ideal. In most cases, an hour or maybe even a few hours might be ok.

Some apps will provide a "keep connected" checkbox, so the user can tell it's a trusted computer and cookies can last longer - perhaps days or months.

Social websites, like Facebook, will set a very long expiration time. That's because they want to keep your browser identifiable as you search the web interacting with like/share buttons, for example.