how to revoke Http-only cookies in the browser when logging out in frontend?

Question

how to revoke Http-only cookies in the browser when logging out in frontend?

situations:

1. I set an authentication cookie for logged users on the server.
2. the cookie marked as Http-only to prevent XSS attack.
3. the cookie set 3 months expiration to prevent inputting credential every time.
4. Occasionally, when the user clicked the logout button the network is not working for some unknown reason so the browser keeps that cookie after the user logged out.
5. to prevent this happen, I have to force the browser to revoke cookies after the user clicks the logout button.
6. but the wiki told me that I do not have the permissions to change the Http-only cookies.

So, How can I revoke the Http-only cookie?
Or, am I missed something in session configurations on the server?

Answer 1

See this answer: https://stackoverflow.com/a/23035655/19331318

Revoking the session by adding another cookie is not a secure implementation. There are many situations, such as on a public computer, where the cookies are currently safe but may not be safe for the next 3 months. If the user isn’t careful on a public computer, someone could come along later and steal the cookie. A secure logout implementation can ensure this isn’t possible, even if the user’s internet fails.

As described in the answer linked above, you can split your session into two cookies. One cookie should be HTTP-only while the other can remain accessible to the JS. The server validates both cookies rather than just one, and if the JS accessible cookie is missing or doesn’t match, the user can be logged out.

Depending on your implementation and the size of your current HTTP-only session cookie, you might not be able to simply split the session cookie in half. Given either half, an attacker should not be able to guess the missing half. According to the OWASP Session Management Cheatsheet, this means that each half must have at least 64 bits of entropy.

Answer 2

I have exactly the same situation now, but 'Logout' does not require changes at the front, server mark the session as finished, you can't go anywhere with this cookie. in general, except for the placement of "credentials: 'include'" in each request, there is nothing more to change at the front, all the logic is stored entirely on the server.

Answer 3

There's a workaround:

Whenever a user clicks the logout button set a new, separately named, cookie for the website's domain that indicates to the web-server that the user's HTTP-only cookie should be immediately expired on the next successful HTTP request (e.g. expire-my-session-cookie). Finally, in the server, add a middleware, request-interceptor or HTTP-module (I don't know what server-side platform you're using) that checks for this expire-my-session-cookie) and if present, redirects or rewrites the request to the real logout handler to complete the task of expiring any HTTP-only cookies.

I don't think there's any security risk here as if if your site does have a script-injection vulnerability then a malicious script could unilaterally log-off your users anyway simply by setting window.location = 'http://your/logoff/page'.

Something like this in the rendered HTML:

<a href="/logoff" onclick="document.cookie = 'expire-my-session-cookie=true'; return true;">logoff</a>

Something like this as a HTTP middleware (i.e. executed on every request, except static files and assets):

(Pseudocode)

function( next ) {

    if( request.cookies["expire-my-session-cookie"] == "true" ) {

        // Set all of the user's cookies to expire immediately:
        for( int i = 0; i < request.cookies.length; i++ ) {

            response.cookies.setCookie( request.cookies[i].name, "", expires: 1970-01-01 );
        }

        return response.redirect( 'logoff-handler' );
    }
    else {

        // Otherwise continue as normal:
        return next();
    }