Invalidating a session in
In this post, I am going to explain how I would tackle this problem. It is easy, however, to make requests related to each other, essentially establish a long session spanning many requests, via a mechanism called cookie.
A cookie is a piece of information that the web server wants the user agent, the browser, to remember and pass back to the server in next requests.
How can we improve the log out or closing the browser to invalidate the session?
This leaves you with the question of expiring the session.
Session (in)validation is usually a server concept: a session is "valid" as long as the server considers it to be valid, i.e.
grants access to whatever data and functionalities are defined to be session-based.
The session cookie would have extra mandatory fields timestamp and checksum.
The timestamp is the moment in time that this cookie was created or updated. The set is not shared across all insances of the web application.
The value of a cookie (or the lack thereof) that is received by the server is not trustable.
You cannot reliably handle it client-side only, if only because the client can disappear abruptly without any trace (user's laptop battery is empty, user is roaming in a car/train and goes out of range of a station, user's machine or browser crashes, user is evil and kills his browser just to annoy you... What if we don't keep the session at the server side?
For example, imagine the session is an encrypted value that includes a secret, and when the server receives the session, de-crypts it, and accepts the session only if the value matches a secret?
This can cause a session to be wrongly accepted when it is served by a different instance than the one that it has been invalidated on.
I have a web application where web session need to expire after stipulated period of time.