0

Is there any way to remove or expire the httpOnly cookie stored in the client when reaching the server from another client (e.g. 2 different browsers)?

I want to create a "logout all" button that logs out the user from every device, by now I'm storing the cookies in the database and removing them from database when the user clicks in "logout all" an then I authenticate only if the cookie is stored in the database. Is this approach enough? Is there any security issues with it?

D. Pardal
  • 6,173
  • 1
  • 17
  • 37
lucas.mdiniz
  • 95
  • 1
  • 7

1 Answers1

0

You can't delete HTTP-only cookies without a request from the browser that has them. HTTP-only cookies are only modifiable via the Set-Cookie header.

By now I'm storing the cookies in the database and removing them from database when the user clicks in "logout all" an then I authenticate only if the cookie is stored in the database. Is this approach enough? Is there any security issues with it?

It depends on how you are generating them. If you're using a CSPRNG to generate a random token, that approach is secure and recommended, because if an attacker gets access to a computer the user logged in from, the user can revoke the token (assuming that the password cannot be changed using the token).

D. Pardal
  • 6,173
  • 1
  • 17
  • 37
  • I'm using JWT to generate them, in the Payload of the JWT i have just the user ID from the user data. So, i think that is secure. Thanks for the answer. – lucas.mdiniz Jul 14 '20 at 10:47