Implementing JWT storage to allow browser refresh but clearing on tab/browser close

Question

We're using JWT as our authentication and storing it as a cookie with HTTPONLY for security reasons. (https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage). We're currently setting a maxAge on it for an hour and will be refreshing the maxAge time on subsequent api requests to prolong the active session (only if the JWT is not expired).

We need to handle the use case where on browser close the JWT Token is cleared from the cookie so that on a public machine, a re-opening of the browser would not re-instate the previous user's session. How is this possible?

Or what is the proper way to implement JWT for the use cases mentioned above?

Answer 1

The known solution for clearing cookies on browser close is to not set an expiration time on the cookies, this is discussed in this question:

Clear cookies on browser close

This is, of course, a catch 22 if you want to have a short session idle time, such that the user is logged out if they are inactive for a while.

As such, you should use the exp of the token to be your session idle time (the max age you are currently setting on the cookie). If time passes beyond the exp, the token is no longer valid. If the token is not expired, you can send down a new token on the request, with a new exp value. You could do this for every request, or only if the token is within X minutes of expiring.

I hope this answer helps! I work at Stormpath, I’m glad that you found our article, Where to Store your JWTs – Cookies vs HTML5 Web Storage, useful!