0

I'm using Express cookie-session for authentication, which, if I understand correctly, works by storing a cookie locally in the browser of the user and no session data client-side.

The documentation says that in order to logout we should set req.session = null on the server. So right now, my client does an HTTP request to that endpoint.

Client:

async function logout() {
    await fetch(
        process.env.REACT_APP_SERVER_URL + "/logout",
        {
            method: "POST",
        }
    )
}

Server:

exports.logout = (req, res, next) => {
    req.session = null
    res.sendStatus(200)
}

But this can obviously fail if the server is down. So now I'm wondering if it's enough to just delete the session cookie client-side and even remove the logout endpoint completely. If there is no session data stored on the server, this should work just as well and not leave any residue, right?

Florian Walther
  • 6,237
  • 5
  • 46
  • 104

2 Answers2

1

Yes that is correct, you can just delete the cookie and next time when the client hits the server, there will be no session to identify the user, hence the user will be logged out.

However, generally, the client side should not be able to work with the session cookie for security reasons, and almost always the session cookie is marked as httpOnly meaning that it can't be manipulated with javascript on the client-side.

One extra precaution you could take (if you decide to let the client work with the session cookie) is to sign the cookie, so even if the client changes the contents of the cookie, the cookie signature will not be valid and will be rejected by the server.

Ivan V.
  • 7,593
  • 2
  • 36
  • 53
  • Thank you for your answer. My session cookie is marked with `httpOnly` and it seems that the client can not access it (and therefore not delete it locally). Is that correct? Also, Express cookie-session is using a "secret". Is this the signing you are talking about? – Florian Walther Mar 21 '22 at 10:49
  • Interestingly, Chrome extensions can access `httpOnly` cookies via the Chrome Cookie API. My React app, however, can't. – Florian Walther Mar 21 '22 at 10:50
  • 1
    Yes the "secret" is the key that is used to sign the cookie. If you want to proceed with your original plan, then `sign` the cookies and don't mark them `httpOnly` – Ivan V. Mar 21 '22 at 11:47
  • Do you have any idea why Chrome extensions are allowed to access `httpOnly` cookies via the Cookie API? I'm using that feature in my extension and there I *can* delete (and query) the cookie. https://developer.chrome.com/docs/extensions/reference/cookies/ – Florian Walther Mar 22 '22 at 20:43
  • Chrome extension can access all cookies: https://developer.chrome.com/docs/extensions/reference/cookies/ – Ivan V. Mar 22 '22 at 21:09
  • Right, I'm just wondering why. I thought JavaScript can not access them for security reasons. Then why do extensions not have this limitation? Maybe because they have to be explicitly installed. – Florian Walther Mar 22 '22 at 21:11
0

If your server is down, then you won't be even able to access your website in the first place. So from my point of view, this assumption doesn't make much sense, so always assume that your server is up (if that's the same server that serves your frontend).

From your server, you can use res.clearCookie to remove the cookie from the browser.

Raul
  • 515
  • 1
  • 6
  • 13
  • In my case, I was building a Chrome extension that would run even if the website was down, but use the same auth cookies as the website. – Florian Walther Sep 03 '22 at 06:46