2

I'm developing user session management for a website. Flow:

  1. Session is nonexistent/invalid, frontend directs user to login page
  2. User logs in
  3. Backend creates session in its database
  4. Backend creates session ID cookie
  5. Frontend passes session ID cookie in each request for authentication

My question: how will frontend know whether session is nonexistent/invalid? Needs to handle the case when a user changes their password, then all their sessions across devices are revoked. So frontend needs to check backend somehow.

Possible approaches:

  1. Backend provides a GET /session API, which tells whether session is active. Frontend calls it before each request, and redirects to login if session is inactive. But this seems like a lot of extra requests.

  2. Frontend calls GET /session upon each browser load of website (CTRL-R). If session is invalidated while on an authed page, the page won't work until reloaded, which will go to login. This might be enough, if unauthed and authed pages are completely separate.

  3. Backend APIs return HTTP 401 if session is inactive. When frontend sees that, it directs user to login. This is more realtime than #2 and doesn't need the extra GET /session requests. I don't know if this has any issues I'm not seeing.

Which is the best approach?

onepiece
  • 3,279
  • 8
  • 44
  • 63

1 Answers1

1

The frontend shouldn't handle any session management logic. It is solely the backend's responsibility to do so. The frontend should only react to what the backend responds with. Option 3 would be the ideal solution. This'll ensure consistency and security.

Youssef Negm
  • 64
  • 6
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 24 '21 at 04:45