Cookie Management Best Practices #1228
-
BackgroundI am building the backend to my web app using FastAPI and Postgres, and I am handling authentication using CookieTransport and DatabaseStrategy. My frontend is built with Svelte. Current ImplementationBy default I am returning a Session Cookie on login, where no expiration is set. I also allow users to check a "Keep me logged in" box which will set a Persistent Cookie with an expiration date baked into the Cookie of 30 days. When defining my DatabaseStrategy I am setting a lifetime_seconds equivalent to 30 days, so under no circumstances can a token be valid for longer than 30 days. I elected to implement this strategy after seeing it mentioned by @frankie567 here.
With this design the token for both Session and Persistent Cookies are exclusively removed from my database when a user logs out. They are not removed even after 30 days when they are no longer valid. At the application level both are technically valid for 30 days because of my lifetime_seconds, the only difference is how the browser holds on to the token by default (meaning they could always be modified by the user at the browser level). Is this a standard/acceptable practice? QuestionsI have a few general practice questions I would like input on:
Overall my goal is a secure application that follows best practices, but I am really striving for simplicity for internal resource reasons within my company. This is which is why I am so hesitant to expand the fastapi-users package itself. I am also not wanting to over engineer for problems I don't have yet, which is why I elected to store the tokens in Postgres (which I am already using heavily) instead of implementing the RedisStrategy or Redis Caching. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hi @hdmoreland 👋 Thank you for your clear and complete question. Here are my thoughts: If your goal is simplicity, I would suggest to implement only one cookie mechanism. Many websites nowadays implicitly remember the user by using a cookie without the Remember me checkbox. Now, to answer your questions:
It depends on the criticality of your application and sensitivity of the actions/data your users will manipulate. 30 days seems a bit long to me, but you should consider the trade-off between security and usability. Personally, I usually set this to 7 days.
Not necessarily: the access token creation date is stored in the DB, so even if the token is still present in DB, we always check if it's not expired. Implementing this automation is useful if you want to keep your house tidy and not accumulate too much expired tokens.
As I mentioned above, I'm not sure you need the "Session cookie" mechanism. But if you really want it, I would say yes, it's safer to have a strategy that considers tokens with a shorter lifetime (like 24 hours).
If you really want to be extra-careful about security, yes. Personally, I would say it's not strictly necessary in a first intent.
That would add lot of complexity to your implementation; I'm not sure it would add so much security to the system.
You could, but not strictly necessary in my opinion. Hope it helps! |
Beta Was this translation helpful? Give feedback.
Hi @hdmoreland 👋
Thank you for your clear and complete question. Here are my thoughts:
If your goal is simplicity, I would suggest to implement only one cookie mechanism. Many websites nowadays implicitly remember the user by using a cookie without the Remember me checkbox.
Now, to answer your questions:
It depends on the criticality of your application and sensitivity of the actions/data your users will manipulate. 30 days seems a bit long to me, but you should consider the trade-off between security and usability. Personally, I usually set this to 7 days.