Using Cookies to Keep Users Logged In
Posted on 3. September 2024 by Jan Bunk
When users download your app, they expect it to be easy to use, with minimal interruptions. A big part of that experience is staying logged into their accounts, especially if they frequently interact with your app. If you turn your website into an app, the app will mostly behave like a browser. Due to that, ensuring users stay logged in requires some careful handling of session management on your website. In this post, we’ll explore how to make sure users stay logged in on your app by correctly configuring your website’s session cookies.
Why Keeping Users Logged In Matters
The more seamless the experience, the more likely users are to continue using your app. Every time a user has to log back into their account, it creates a point of friction. If this happens too often, it can become frustrating, leading to decreased engagement and potentially higher churn rates. The solution? Ensuring your session management is set up correctly so that users stay logged in as long as possible, while still maintaining security.
Aspects of a Correct Cookie Setup
Expiration Times
Persistent sessions ensure that users stay logged in even after they close the app or website. This is achieved by configuring your session cookies (the cookies that keep the user logged in) correctly. To keep users logged in for your desired timeframe, you need to set the expires and max-age properties of the session cookies. They define how long the cookie should last before it’s automatically deleted by the app or browser.
expires: This property sets an absolute expiration date and time for the cookie.max-age: This property defines the lifespan of the cookie in seconds from the time it is set. It’s often easier to use thanexpiresbecause it doesn’t require you to calculate a specific date and time.
If these properties aren’t set, the cookie will expire as soon as the user closes their browser or app, ending the session and logging the user out. Please note that such cookies without an expiration time are also often referred to as "session cookies". In that case "session" refers to the time the user kept the browser/app open, while in this blog post we call the entire period that you want to keep the user logged in as one session (even if the app/browser was closed in the meantime).
The expiration time you want to use depends on how consequential getting hacked would be for a user. For a bank account, this would surely be very bad, so a low expiration time should be used. However losing access to a Netflix account is probably not so critical, so an expiration time of at least a month or longer would be fine. There the hassle of constantly having to log in again would be too inconvenient to justify the higher security.
Other Important Cookie Properties
These properties are not essential for making sure that users stay logged in, but configuring them is recommended, as it makes it harder for attackers to steal session cookies. if attackers can steal a session cookie, they can log into that user's account without knowing their username and password.
Secure: This flag ensures that the cookie is only sent over HTTPS, which is crucial for security, especially if your app handles sensitive information. Always make sure this is enabled.HttpOnly: This flag prevents JavaScript from accessing the cookie, which helps protect against cross-site scripting (XSS) attacks. Setting this flag is a good practice for any session cookie.
Handle Session Expiry Gracefully
Even with a long session duration, the expiration time you configured will eventually arrive. How you handle this expiry can make a big difference in the user experience.
Session Renewal: If the session is about to expire, consider implementing a mechanism on your website to automatically renew the session while the user is active. This can be done by resetting the cookie’s
max-ageorexpiresproperties whenever the user interacts with the app. That way a user that frequently uses your app will never be logged out.Easy Re-Authentication:To make sure the login process is as easy as possible even after the cookie has expired (which logs out the user), we recommend making sure that password managers and autofill also work with your app.
Testing
It's important that you test that staying logged in works on your website. Make sure that you test it on both a computer and on a smartphone. If it works in the browser but not in your app, please let us know so we can investigate.
Conclusion
Keeping users logged in is vital for a smooth and enjoyable user experience in your app. By configuring your session cookies correctly, you can ensure that your users stay logged in as long as possible. Thorough testing is essential to catch any issues before they affect your users.
Implement these strategies to minimize disruptions, enhance user satisfaction, and keep your app’s users engaged and happy.
Related Articles
When to Restrict Your App to Landscape or Portrait Mode
When turning websites into apps, we allow users to lock their app to a specific orientation. Here's why we recommend not doing that.
How to: Request Access to the Production Track
To make your app publicly available in the Google Play Store, you need access to the production track. Here's how you can request it.
Necessary Steps so We Can Update Your Existing iOS App
This guide explains all the steps you need to complete to let us update your app that is already published in the Apple App Store.
Jan Bunk
Hi, I'm Jan! I created webtoapp.design in 2019 while studying computer science in university. A lot has changed since then - not only have I graduated, but it's also no longer just me running webtoapp.design. We've grown to a global, fully remote team and have gathered lots of experience around app development and app publishing. We've created and published hundreds of apps in the app stores, where they've been downloaded millions of times.