Using Cookies to Keep Users Logged In

Posted on 3. September 2024 by Jan Bunk

A humanoid robot holding up a delicious looking chocolate chip cookie, digital art

When users download your app, they expect it to be easy to use, with minimal interruptions. A big part of that experience is staying logged into their accounts, especially if they frequently interact with your app. If you turn your website into an app, the app will mostly behave like a browser. Due to that, ensuring users stay logged in requires some careful handling of session management on your website. In this post, we’ll explore how to make sure users stay logged in on your app by correctly configuring your website’s session cookies.

Why Keeping Users Logged In Matters

The more seamless the experience, the more likely users are to continue using your app. Every time a user has to log back into their account, it creates a point of friction. If this happens too often, it can become frustrating, leading to decreased engagement and potentially higher churn rates. The solution? Ensuring your session management is set up correctly so that users stay logged in as long as possible, while still maintaining security.

Aspects of a Correct Cookie Setup

Expiration Times

Persistent sessions ensure that users stay logged in even after they close the app or website. This is achieved by configuring your session cookies (the cookies that keep the user logged in) correctly. To keep users logged in for your desired timeframe, you need to set the expires and max-age properties of the session cookies. They define how long the cookie should last before it’s automatically deleted by the app or browser.

  • expires: This property sets an absolute expiration date and time for the cookie.

  • max-age: This property defines the lifespan of the cookie in seconds from the time it is set. It’s often easier to use than expires because it doesn’t require you to calculate a specific date and time.

If these properties aren’t set, the cookie will expire as soon as the user closes their browser or app, ending the session and logging the user out. Please note that such cookies without an expiration time are also often referred to as "session cookies". In that case "session" refers to the time the user kept the browser/app open, while in this blog post we call the entire period that you want to keep the user logged in as one session (even if the app/browser was closed in the meantime).

The expiration time you want to use depends on how consequential getting hacked would be for a user. For a bank account, this would surely be very bad, so a low expiration time should be used. However losing access to a Netflix account is probably not so critical, so an expiration time of at least a month or longer would be fine. There the hassle of constantly having to log in again would be too inconvenient to justify the higher security.

Other Important Cookie Properties

These properties are not essential for making sure that users stay logged in, but configuring them is recommended, as it makes it harder for attackers to steal session cookies. if attackers can steal a session cookie, they can log into that user's account without knowing their username and password.

  • Secure: This flag ensures that the cookie is only sent over HTTPS, which is crucial for security, especially if your app handles sensitive information. Always make sure this is enabled.

  • HttpOnly: This flag prevents JavaScript from accessing the cookie, which helps protect against cross-site scripting (XSS) attacks. Setting this flag is a good practice for any session cookie.

Handle Session Expiry Gracefully

Even with a long session duration, the expiration time you configured will eventually arrive. How you handle this expiry can make a big difference in the user experience.

Testing

It's important that you test that staying logged in works on your website. Make sure that you test it on both a computer and on a smartphone. If it works in the browser but not in your app, please let us know so we can investigate.

Conclusion

Keeping users logged in is vital for a smooth and enjoyable user experience in your app. By configuring your session cookies correctly, you can ensure that your users stay logged in as long as possible. Thorough testing is essential to catch any issues before they affect your users.

Implement these strategies to minimize disruptions, enhance user satisfaction, and keep your app’s users engaged and happy.

Related Articles


Holographic smartphone with blue rotation arrow around it, digital art

When to Restrict Your App to Landscape or Portrait Mode

When turning websites into apps, we allow users to lock their app to a specific orientation. Here's why we recommend not doing that.

A humanoid robot with a large broom sweeping away a pile of data, digital art

How to Fix Caching Issues in Your App

A correct caching setup on your website is essential to make sure changes on your website show up in your app immediately.

A humanoid robot updating a file in a cabinet, digital art

How to Update the Address or Name in Your Google Developer Account

If your company's name or address changes, this is reflected in the information attached to your DUNS number. Afterwards, you'll also need to verify the new information with Google.


Author Jan Bunk
Written by
Jan Bunk

Hi, I'm Jan! I created webtoapp.design in 2019 while studying computer science in university. A lot has changed since then - not only have I graduated, but it's also no longer just me running webtoapp.design. We've grown to a global, fully remote team and have gathered lots of experience around app development and app publishing. We've created and published hundreds of apps in the app stores, where they've been downloaded millions of times.