To prevent cookie theft, the token is re-generated on each and every request the browser sends, and the cookie updated/replaced.
On each request, the back-end verifies the token in the encrypted cookie to the token stored in the DB for that user account, if not matching, the user is signed out.
Now, i stumbled on a big issue last night. My internet connection was being wonky and requests didnt reach the server so i ended up hammering away multiple requests.... and when one finally reached the server, the token got updated(as it should), and all the other requests in queue then had the wrong token, and i was signed out.
My question is, how do I prevent this?
One solution I came up with is to not! regenerate the token on each! user-made request, but instead automatically with javascript send an ajax request ever ~5 minute, to re-generate the token.
grateful for any thoughts! have a great day!
What makes you think this is a problem for your app?
What else have you thought of to solve the issue? One idea would be to concat the cookie token and the IP of the requestor - that would eliminate the "cookie was stolen and used from another IP". Or you could use a browser fingerprint here.