Ghost member cookie expiration - in database, or?

Cathy_Sarisky · March 7, 2023, 12:30am

So here’s a completely random question: I can find the code that sets cookies after a user follows a magic link and trades their token for a cookie. Those cookies get 184 days / 6 months for their expiration date.

What I can’t find is where Ghost checks that a cookie it is offered is not expired. Are cookie expirations handled server side, or is the client trusted to expire them? I’m asking because I’m working on a job where I’ve got a proxy adding a cookie. It works great today, but is Ghost going to refuse that cookie in six months?

I’ve been through the code and looked for a MySQL table, but I’m not finding anything that looks like expired cookies being invalidated. Help??

Thanks!

vikaspotluri123 · March 7, 2023, 2:35am

Cookie expiration is managed by the browser! In the case of Members auth, the logic for authenticating is here, and you can see that there’s only a cookie set to log a member in.

Cathy_Sarisky · March 7, 2023, 2:55am

Thanks @vikaspotluri123 ! That’s what I suspected, but I worried I was perhaps missing some code elsewhere. (And I know enough systems that store a session ID in the backend that /does/ expire to be cautious about assuming it was all browser-based.)

Topic		Replies	Views
About cookies & GDPR Using Ghost	3	722	May 3, 2021
How long does a membership authentication session last? Memberships & subscriptions	2	699	August 4, 2020
How does Ghost stop account sharing, if it does? Memberships & subscriptions	5	598	July 3, 2023
Expiry on Members confirmation email Memberships & subscriptions	7	863	July 7, 2020
Use Ghost members auth to log-in to custom app via cookies Memberships & subscriptions	13	6989	May 29, 2024

Ghost member cookie expiration - in database, or?

Related topics