The first in our new series from Glean's Engineering Team focuses on a practical problem - how can we log a user out if they're offline?
Imagine this...
You're happily using Glean offline in the browser (thanks to service workers!). You've finished your lecture for the day and want to log out of your account. Online, this would be a well travelled path; you hit logout, a request is fired to a service, and responds expiring your cookie for you, logging you out.
The problem
Offline, this is a bit harder! We can’t get a response to our request as there is no network, so how can we expire the cookie?
Could we expire it via the client? Unfortunately not, as it is a cookie with a http only flag. Could we remove the http only flag? Maybe not, as it can make us vulnerable to cross site scripting attacks.
Our solution
The solution we settled on is to require two cookies with different tokens for authentication. One with the http only flag and one not. This allows us to expire the one with no http only flag when the user is offline, meaning they can be logged out successfully!
TL;DR
Online logout:
- POST /logout which responds and expires the authentication cookie.
Offline logout issues:
- Can’t post /logout as no network.
- Can’t expire a cookie from javascript as it has a http only flag.
Solution:
- 2 cookies with different tokens required for authentication: one with a http only flag, the other without one
- When a user logs out offline, manually expire the non http only cookie from the client.
Could you be our next dev?
At Team Glean, we're always on the lookout for talented people to join us.
To learn more about working with us, and to see the latest opportunities, follow the link below!
Share this blog
Time for a simpler, smarter note taking accommodation?
