When handling user sessions, I want to keep http-only cookie security benefits while also allowing the users to sign out (delete the cookie) when they are offline or server is not available. This StackOverflow answer suggests to use two cookies for this. Both cookies should be required for a session to be considered valid, and one of them can be removed by the client at will.However, as I understand, express-session only uses one cookie. Is there a way to use two cookies for sessions (one http-only and one not-http-only) and keep it interoperable with other middleware (like express-session, passport, etc)?
Submitted December 26, 2017 at 11:43AM by smthamazing
No comments:
Post a Comment