Hi, I was thinking recently how to implement auth and researched the idea of storing the token in httpOnly cookie. But had a problem with figuring out logout.
Main approach here is having invalidation API that will invalidate this token, but imagine a scenario when you are in some kind of public device and need to log out, but the internet is down.
You can not call invalidation API and can not delete HTTPonly cookie from the client, so the next user with this device will have access to your account and session.
Hi Sir, that is indeed something very important to consider, thanks for adding to the discussion!
My suggestion would be to set a relatively short life for the cookie so that it expires automatically, without an explicit logOut request comes to your backend. You can always renew the cookie expiration datetime when the user keeps logged and interacting with your app, to avoid disrupting the login session.
The recommended expiration time will depend on the use case.
If you're dealing with financial funds, for example, perhaps a few minutes would be ideal. In most cases, an hour or maybe even a few hours might be ok.
Some apps will provide a "keep connected" checkbox, so the user can tell it's a trusted computer and cookies can last longer - perhaps days or months.
Social websites, like Facebook, will set a very long expiration time. That's because they want to keep your browser identifiable as you search the web interacting with like/share buttons, for example.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi, I was thinking recently how to implement auth and researched the idea of storing the token in httpOnly cookie. But had a problem with figuring out logout.
Main approach here is having invalidation API that will invalidate this token, but imagine a scenario when you are in some kind of public device and need to log out, but the internet is down.
You can not call invalidation API and can not delete HTTPonly cookie from the client, so the next user with this device will have access to your account and session.
Hi Sir, that is indeed something very important to consider, thanks for adding to the discussion!
My suggestion would be to set a relatively short life for the cookie so that it expires automatically, without an explicit
logOut
request comes to your backend. You can always renew the cookie expiration datetime when the user keeps logged and interacting with your app, to avoid disrupting the login session.The recommended expiration time will depend on the use case.
If you're dealing with financial funds, for example, perhaps a few minutes would be ideal. In most cases, an hour or maybe even a few hours might be ok.
Some apps will provide a "keep connected" checkbox, so the user can tell it's a trusted computer and cookies can last longer - perhaps days or months.
Social websites, like Facebook, will set a very long expiration time. That's because they want to keep your browser identifiable as you search the web interacting with like/share buttons, for example.