Logging off...pedantically

Moralis General
#1

Iā€™ve integrated Moralis sign-up/log-in/log-out/update features into my web3 site. All of that is working great.
image

Too great. When I close the web3 page (my working yarn start -> localhost:3000) and then open it againā€¦Iā€™mā€¦still signed in.
image

Thatā€™s greatā€¦if I were building a social media site. But Iā€™m not. Iā€™m building a bank.

How do I tell Moralis to set its session cookie to auto-expire at the end of the session?
Iā€™d ask how to do it in JavaScript/React, but the user could just kill the browser process and thatā€™s the end of JavaScript before it couldā€¦umā€¦ā€œreactā€.

Bonus question: how do I set up an inactivity timeout on the session login cookie? Iā€™d like to poke the user with a warning and failing that: lock it up.

Rather boring bankish security stuff. But necessary. And Iā€™m at a bit of a loss as to how to make it happen.

Thoughts?

#2

Hey @TheBubbleGuy

On the https://xxxxxx.moralis.io:2083/apps/moralisDashboard/browser/_Session you can find the end date of the user sessions.

Take a look at Sessions

#3

Hope this will give you some ideas
If you will have any more questions, I will be happy to answer.
I am pleased to see your progress :wink:

#4

Hm. At first glance it appears that the ability to modify the sessionā€™s default 1-year expiration date cannot exist to the developer at the server end due to session permissions settings. And the feature does not exist for the user at the front end. Users would have permissions to modify their sessionā€“but thereā€™s no API to offer that exposes that parameter.

I know yā€™all are busy butā€¦tight session expiration controls are pretty standard online banking ā€œOPSECā€ (yes, Iā€™m ex-military industrial complex). The user should be able to adjust their session inactivity timeout to somewhere down in the 1-30 minutes range.

Let me know when the Moralis devs get around to adding that API.

Thanks!

#5

But that brings up another question:
How does isAuthenticated workā€¦exactly? Is it pinging the server for verification, or is it just re-reading the local session cookie? What happens when the session expires on the server end? I know itā€™s currently a bizzare corner case. But it becomes commonplace if the expiration timeout were to be set down to 1 minute.

Would an ap remaining open across that event even notice? How and at what frequency does that state update on the front end?

#6

No, waitā€¦this is it isnā€™t it. Just call the logout() function on a timer. But I donā€™t think that covers the website close event.

image
image758Ɨ542 57.8 KB