Logout and Expiration
There are lots of different use cases for the user's session time. In some apps, the user wants to remain logged in basically forever, like a social media site. In other apps, the user wants to log out after a certain amount of time, and in some cases they may want to be logged out after a certain amount of inactivity (like a banking app).
In this exercise, we're going to look at what it takes to implement a logout button and a session expiration.
Logging out of a cookie-managed session is pretty easy. You simply need to remove the part of the cookie that identifies the user. You could delete the cookie altogether, or you could simply "unset" the user ID portion of the cookie:
Then you commit the session in the response and you're golden.
It's important to note that you should almost never perform mutations within a
GET request, so rather than having a link to a
/logout page which is too
common, you should have a button that performs a
POST request to
This reduces the risk of CSRF
When a cookie expires, the browser will automatically delete it. So it won't show up in future requests. Almost like it was never created in the first place.
By default, a cookie will expire when the session is over, which is when the browser is closed. However, you can set an expiration date on the cookie so that it will expire at a certain time. This is useful for things like "remember me" functionality, where you want the user to remain logged in for a long time.
Many people misunderstand this feature because they check "remember me" and then they find they're logged out anyway after a certain amount of time. This is probably happening because even though the cookie is set to expire after a certain amount of time, they may not check the site again until after the expiration time anyway. All "remember me" is supposed to do is prevent the cookie from being automatically deleted when the browser is closed. Each app will have its own rules about how long a user can remain logged in after that point.
The expiration time can be configured one of two ways:
Dateobject representing the time the cookie should expire.
maxAge- A number representing the number of seconds the cookie should remain valid.
Neither is better than the other. Use the one that feels more natural to you.
Bad Auth State
Another time to log the user out automatically is when the user's session is invalid. The primary reason for this is that the user's account may have been deleted. In this case, you'll want to send them to the login page so they can login with a different account or create a new one.
Depending on the application, this may not be necessary or desired, but for highly sensitive applications, it's a good idea.