Logging off...pedantically

I’ve integrated Moralis sign-up/log-in/log-out/update features into my web3 site. All of that is working great.

Too great. When I close the web3 page (my working yarn start -> localhost:3000) and then open it again…I’m…still signed in.

That’s great…if I were building a social media site. But I’m not. I’m building a bank.

How do I tell Moralis to set its session cookie to auto-expire at the end of the session?
I’d ask how to do it in JavaScript/React, but the user could just kill the browser process and that’s the end of JavaScript before it could…um…“react”.

Bonus question: how do I set up an inactivity timeout on the session login cookie? I’d like to poke the user with a warning and failing that: lock it up.

Rather boring bankish security stuff. But necessary. And I’m at a bit of a loss as to how to make it happen.


Hey @TheBubbleGuy

On the https://xxxxxx.moralis.io:2083/apps/moralisDashboard/browser/_Session you can find the end date of the user sessions.

Take a look at Sessions

Hope this will give you some ideas
If you will have any more questions, I will be happy to answer.
I am pleased to see your progress :wink:

Hm. At first glance it appears that the ability to modify the session’s default 1-year expiration date cannot exist to the developer at the server end due to session permissions settings. And the feature does not exist for the user at the front end. Users would have permissions to modify their session–but there’s no API to offer that exposes that parameter.

I know y’all are busy but…tight session expiration controls are pretty standard online banking “OPSEC” (yes, I’m ex-military industrial complex). The user should be able to adjust their session inactivity timeout to somewhere down in the 1-30 minutes range.

Let me know when the Moralis devs get around to adding that API.


But that brings up another question:
How does isAuthenticated work…exactly? Is it pinging the server for verification, or is it just re-reading the local session cookie? What happens when the session expires on the server end? I know it’s currently a bizzare corner case. But it becomes commonplace if the expiration timeout were to be set down to 1 minute.

Would an ap remaining open across that event even notice? How and at what frequency does that state update on the front end?

No, wait…this is it isn’t it. Just call the logout() function on a timer. But I don’t think that covers the website close event.