Hacker News new | past | comments | ask | show | jobs | submit login

So you just removed the ability to have a "Log me in forever" checkbox.

A expiry date system is literally impossible to revoke without somehow maintaining a list of valid or invalid cookies, and by that point, you are hitting a database for each cookie.

So, one way, you don't have as much control, and you can't revoke a stolen cookie with potentially high level access rights. The other way, you are replicating a db backed session, and heaping complexity on top of it.

If we are dealing with a subset of bad cookies, then I suppose it becomes a hard question of what-to-do. We could put something into the code to distinguish and then require a minimum last good date of some sort. It is messy and I wouldn't want to do that, but really I just want to point out that your insistence on it being "impossible" just isn't true. If we just let ourselves revoke everything, then it is much simpler. I wonder how the "known subset of bad cookies" situation arises. I suppose it could, but you could in turn release an announcement telling your users that for all of their protection you are requiring that they login again, insert a minimum required date and move on with life. There are plenty of ways to deal with the situation and none of them are impossible.

Really? Could you try actually reading what I've written?

    impossible to revoke without somehow maintaining a list of valid or invalid cookies
Completely true. A minimum date like you are saying is still "some kind of list of valid or invalid cookies". Or are you going to get into the semantics of "that's not a list"? As an example of something that you can't do without tying a database into it, I've seen sites that let you log individual computers out of the system from your account page. No way to do that without a valid/not valid check in the DB.

Values are values whether or not they are in a db. It is situation dependant and probably not (happily) manageable in a large scale application. Saying things are "impossible" with such a heavy hand is a bit over the top. If my cookies have a date that is valid, then I can easily keep that bit of nasty logic in the code. I wouldn't do that personally, but it is doable. Take it easy :)

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact