javascript - How do I destroy an http-only cookie while a server is offline? - Stack Overflow

admin管理员组

文章数量:1318993

I have a web application that talks to a web-server via REST, this web application could be running on a public puter and enables multiple users to logon and logout in a given time period.

All cookies are HTTP-only, this is simply an additional security measure to cover cases of successful XSS attacks. This means that a REST call must be made to force a logout.

My concern is that when the web-server goes down for any reason (or bees inaccessible eg a network cable being disconnected somewhere). When the user hits logout, there is actually no way of removing the cookie. Meaning that the user may walk away from the PC, meanwhile another user could e along when the connection is restored or server es back, and just continue using the previous users account.

What is the typical way of dealing with this use case? (admittedly not particularly mon).

I have a web application that talks to a web-server via REST, this web application could be running on a public puter and enables multiple users to logon and logout in a given time period.

All cookies are HTTP-only, this is simply an additional security measure to cover cases of successful XSS attacks. This means that a REST call must be made to force a logout.

My concern is that when the web-server goes down for any reason (or bees inaccessible eg a network cable being disconnected somewhere). When the user hits logout, there is actually no way of removing the cookie. Meaning that the user may walk away from the PC, meanwhile another user could e along when the connection is restored or server es back, and just continue using the previous users account.

What is the typical way of dealing with this use case? (admittedly not particularly mon).

• javascript
• rest
• security
• httpcookie

Share Improve this question Follow asked Jul 7, 2015 at 1:55 Josh McJosh Mc 10.3k88 gold badges5656 silver badges6868 bronze badges 2

• On a public puter, users should at least be using a private browser tab/window … But working under the assumption that they can’t all be knowledgeable enough to apply at least such basic measures, I would check the success of the logout request, and alert them to the fact that it did not work. – C3roe Commented Jul 7, 2015 at 2:08
• 1 Also, reducing the session lifetime might help prevent the worst. If you want to “ping” the server in an interval to keep the session alive so as not to inconvenience regular users that might linger on a page with lots of content longer, then that should be stopped when logout fails. (If it fails because there is no connection, then it wouldn’t matter that much, but there might be other reasons maybe.) You could offer reduced session lifetime as an optional feature as well, lets say by having a “I am logging in from a public puter” checkbox in the login form … – C3roe Commented Jul 7, 2015 at 2:13

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 11

If I were tasked with something like this, and downtime was a given, I'd probably do something like adding a second cookie, modifiable through JS (let's call it cookiever), which would contain some value that is used as a part of the HMAC signature on the http cookie, ie (pseudocode):

cookiever ||= random
cookie_signature = hex_hmac_sha256(cookie_data + cookiever, "signing_secret")
httponlycookie = urlsafe_base64(cookie_data) + "|" + cookie_signature
set_cookie("httponly", httponlycookie, httponly=True)
set_cookie("cookievew", cookiever)

Normally, cookiever would be set by the server along with the httponly cookie, and is used to validate the cookie on each request. If the user were to request a logout, then you would use Javascript to write an empty value to cookiever, destroying the signing information in the cookie. Thus, even if the httponly cookie can't be destroyed, the cookiever cookie would, and on the next successful request, the httpcookie would fail to validate its HMAC signature, and your server would discard it and force the user to start a new session.

本文标签： javascriptHow do I destroy an httponly cookie while a server is offlineStack Overflow