Ghost member cookie expiration - in database, or?

So here’s a completely random question: I can find the code that sets cookies after a user follows a magic link and trades their token for a cookie. Those cookies get 184 days / 6 months for their expiration date.

What I can’t find is where Ghost checks that a cookie it is offered is not expired. Are cookie expirations handled server side, or is the client trusted to expire them? I’m asking because I’m working on a job where I’ve got a proxy adding a cookie. It works great today, but is Ghost going to refuse that cookie in six months?

I’ve been through the code and looked for a MySQL table, but I’m not finding anything that looks like expired cookies being invalidated. Help??


Cookie expiration is managed by the browser! In the case of Members auth, the logic for authenticating is here, and you can see that there’s only a cookie set to log a member in.

Thanks @vikaspotluri123 ! That’s what I suspected, but I worried I was perhaps missing some code elsewhere. (And I know enough systems that store a session ID in the backend that /does/ expire to be cautious about assuming it was all browser-based.)

1 Like