How do I destroy an http-only cookie while a server is offline?

Question

I have a web application that talks to a web-server via REST, this web application could be running on a public computer and enables multiple users to logon and logout in a given time period.

All cookies are HTTP-only, this is simply an additional security measure to cover cases of successful XSS attacks. This means that a REST call must be made to force a logout.

My concern is that when the web-server goes down for any reason (or becomes inaccessible eg a network cable being disconnected somewhere). When the user hits logout, there is actually no way of removing the cookie. Meaning that the user may walk away from the PC, meanwhile another user could come along when the connection is restored or server comes back, and just continue using the previous users account.

What is the typical way of dealing with this use case? (admittedly not particularly common).

Answer 1

If I were tasked with something like this, and downtime was a given, I'd probably do something like adding a second cookie, modifiable through JS (let's call it cookiever), which would contain some value that is used as a part of the HMAC signature on the http cookie, ie (pseudocode):

cookiever ||= random
cookie_signature = hex_hmac_sha256(cookie_data + cookiever, "signing_secret")
httponlycookie = urlsafe_base64(cookie_data) + "|" + cookie_signature
set_cookie("httponly", httponlycookie, httponly=True)
set_cookie("cookievew", cookiever)

Normally, cookiever would be set by the server along with the httponly cookie, and is used to validate the cookie on each request. If the user were to request a logout, then you would use Javascript to write an empty value to cookiever, destroying the signing information in the cookie. Thus, even if the httponly cookie can't be destroyed, the cookiever cookie would, and on the next successful request, the httpcookie would fail to validate its HMAC signature, and your server would discard it and force the user to start a new session.