2

how to revoke Http-only cookies in the browser when logging out in frontend?

situations:

  1. I set an authentication cookie for logged users on the server.
  2. the cookie marked as Http-only to prevent XSS attack.
  3. the cookie set 3 months expiration to prevent inputting credential every time.
  4. Occasionally, when the user clicked the logout button the network is not working for some unknown reason so the browser keeps that cookie after the user logged out.
  5. to prevent this happen, I have to force the browser to revoke cookies after the user clicks the logout button.
  6. but the wiki told me that I do not have the permissions to change the Http-only cookies.

So, How can I revoke the Http-only cookie?
Or, am I missed something in session configurations on the server?

Community
  • 1
  • 1
欧阳维杰
  • 1,608
  • 1
  • 14
  • 22
  • `when the user clicked the logout button, the network is not working for some unknown reason` - fix this - unless you mean this sometimes happens rather than it's a permanent issue – Jaromanda X Aug 07 '19 at 05:00
  • alternatively, set a cookie in the client side code to signal the fact that the client has logged out – Jaromanda X Aug 07 '19 at 05:02
  • Do any of the answers on this semi-related question help? https://stackoverflow.com/questions/27978868/destroy-cookie-nodejs – JoshG Aug 07 '19 at 05:08
  • Why is this question tagged with `nodejs` when this is a client-side issue? – Dai Aug 07 '19 at 05:09
  • because I don't know if this is a question I had missed something on the server-side @Dai – 欧阳维杰 Aug 07 '19 at 05:11
  • @AndroidNoobie No, I can not revoke Http-only cookies in that way. – 欧阳维杰 Aug 07 '19 at 05:14
  • But what if bad guys copied the cookies from my browser after I logout failed and do not send that specified cookie to fake my server in his next action. @JaromandaX – 欧阳维杰 Aug 07 '19 at 05:28
  • the non-http cookie would just be an indicator – Jaromanda X Aug 07 '19 at 05:42
  • But no matter what you have done, the server didn't revoke that authentication cookie and that cookie remains in the browser. Then there is a security risk?@JaromandaX – 欧阳维杰 Aug 07 '19 at 05:49

1 Answers1

1

There's a workaround:

Whenever a user clicks the logout button set a new, separately named, cookie for the website's domain that indicates to the web-server that the user's HTTP-only cookie should be immediately expired on the next successful HTTP request (e.g. expire-my-session-cookie). Finally, in the server, add a middleware, request-interceptor or HTTP-module (I don't know what server-side platform you're using) that checks for this expire-my-session-cookie) and if present, redirects or rewrites the request to the real logout handler to complete the task of expiring any HTTP-only cookies.

I don't think there's any security risk here as if if your site does have a script-injection vulnerability then a malicious script could unilaterally log-off your users anyway simply by setting window.location = 'http://your/logoff/page'.

Something like this in the rendered HTML:

<a href="/logoff" onclick="document.cookie = 'expire-my-session-cookie=true'; return true;">logoff</a>

Something like this as a HTTP middleware (i.e. executed on every request, except static files and assets):

(Pseudocode)

function( next ) {

    if( request.cookies["expire-my-session-cookie"] == "true" ) {

        // Set all of the user's cookies to expire immediately:
        for( int i = 0; i < request.cookies.length; i++ ) {

            response.cookies.setCookie( request.cookies[i].name, "", expires: 1970-01-01 );
        }

        return response.redirect( 'logoff-handler' );
    }
    else {

        // Otherwise continue as normal:
        return next();
    }
Dai
  • 141,631
  • 28
  • 261
  • 374
  • Thanks a lot for your answer. That's much clear. I am writing a one-page web app in front end and using node.js + express in the backend. Depend on your answer, But what if bad guys copied the cookies from my browser after I logout failed and do not send that specified cookie to fake my server in his next action. – 欧阳维杰 Aug 07 '19 at 05:23
  • Perhaps, I should not set http-only for authentication cookies? – 欧阳维杰 Aug 07 '19 at 05:30
  • @欧阳维杰 If the bad-guys have copied your cookies then there is absolutely nothing you can do and you've already lost. This is why it's important to keep "secret" cookies (like auth tokens) as HTTP-only. However having a "please log-me-off"-cookie as non-HTTP-only is okay because it doesn't confer any useful information to an attacker. – Dai Aug 07 '19 at 05:51
  • So, here is the idea. I need to set two cookies for the logged users. one for authentication and one for "please log-me-off". The server side will check both cookies when users do some personal actions? – 欧阳维杰 Aug 07 '19 at 06:01