When a user logs out from our web site, we are used to clearing the session and that’s it. When you are developing a single page application, you are likely to keep a lot of state on the client side, and that should be cleared too.
For Ninja Tools, that meant going from the traditional re-frame initialize-db:
(re-frame/register-handler :initialize-db (fn [_ _] (re-frame/dispatch [:get-current-user]) {:current-route nil :alerts (sorted-map) :current-user nil :log-in-form {} :registration-form {} :reset-password-form {} :change-password-form {} :tools nil :used-tools nil}))
to having the initial-db in a re-usable value:
(def initial-db {:current-route nil :alerts (sorted-map) :current-user nil :log-in-form {} :registration-form {} :reset-password-form {} :change-password-form {} :tools nil :used-tools nil}) (re-frame/register-handler :initialize-db (fn [_ _] (re-frame/dispatch [:get-current-user]) initial-db))
and our logged-out handler to use it instead of modifying the current estate, which meant going from:
(re-frame/register-handler :logged-out (fn [db [_]] (routing/redirect-to :home) (-> db (assoc :current-user nil) (alerts/add-alert :success "You are now logged out."))))
to:
(re-frame/register-handler :logged-out (fn [db [_]] (routing/redirect-to :home) (-> db/initial-db (alerts/add-alert :success "You are now logged out."))))
Since we care so much about security, for us, it’s important to go back to initial-db, and if there’s some state that should survive, we’ll pass it on manually. That is, we’ll be doing whitelisting vs blacklisting.
Something that we haven’t decided is whether we clear the state on log-out, when the user just clicked the log out link, or logged-out, when when the server has cleared the session.
The advantage of the former is that we clear all the state as soon as possible, the advantage of the later is that should the log out procedure fail for some reason, the app still has the state and it should still be usable, which might be required for re-trying logging out.
Recapping that, clearing state immediately behaves better when everything goes well, clearing state later behaves better when something goes wrong during the log out process. We can’t comment one being safer that the other, as clearing the session earlier and failing to log out might leave the user under the impression they successfully logged out when it’s not the case.
Leave a Reply