Http only cookie user authentication after session expires

Question

Stack:

• frontend = Vue
• backend = Strapi (node based cms) + postgresql

I have build a authentication mechanism that uses http only cookies. The user logs in, then a http only cookie is send to the user. The users saves this in the browser but can not access it using javascript. Therefore the cookie is more or less protected from xss.

The problem with this is; when a user leaves the website and comes back after let's say 2 days, the authentication boolean on the client side still says that the user is authenticated. But in reality the cookie is already expired. I would like to check the cookie for experiation, but that is not possible as it is http only and not accessible by client code.

How do you guys go over this and what are some best practices?

cheerss

I have thought about setting a timer or datestamp on the moment of handing out the cookie. But that would mean I would be constantly checking.

Answer 1

I have a similar setup. As you mentioned it's not possible for JavaScript to access the http cookie, and having a timer run for the period of cookie expiry is not very desirable.

What I do is to do nothing until the user user performs an action that requires authentication (e.g. click a button that does a HTTP GET to the backend). Once the user does that and if the cookie had already expired, I get one of the 302, 401 or 403 HTTP status codes from the backend, and when this happens the .then block in the Javascript fetch request does a redirect to the authentication server so the user logs in again to get a new cookie, and then continues with the original action.

Not claiming this is the best method but it's working well for me. Hope this helps.