United Kingdom: +44 (0)208 088 8978

Authentication errors due to stale cookies, part one

Matt introduces a new short series on how to fix problems caused by authentication cookies going stale.

By

Posted: May 30, 2025

Categorised: Technology

This is the first in a series of posts where we'll discuss how to handle stale authentication cookies. This first post will cover the problems you might see in your application if authentication cookies have gone stale. Following posts will cover solutions to each of those problems in turn.

Authentication cookies

It's common to need authentication and authorisation for your application, so that only certain users can access certain features. Sometimes this might just be as simple as only allowing logged in users to see anything.

Because authentication is a standard concern that doesn't need application-specific behaviour, most web applications will delegate it to an identity provider, which handles credentials and provides information to applications about who a user is. This can be basic information such as name and username, but can include other useful information too, such as a user's job title. Protocols such as OpenID Connect define how this should work; usually when a user access an application, that application asks the identity provider to authenticate the user and stores the returned authentication information in a cookie.

Authentication errors due to stale cookies

The authentication is time-limited, but the expiration time is often extended on each request that is sent to the application. If no requests are sent for a long time, the authentication details stored in the cookie might expire. In this case, API requests will usually return 401 UNAUTHORIZED HTTP errors and requests for static assets like HTML files will return HTTP redirects to the identity provider, to refresh authentication.

Occasionally, some application will return redirects to unauthenticated API requests, which result in CORS errors when the SPA tries to handle them. The behaviour that users see is the same in either case.

Problems observed by users

If you're using a single-page application (SPA) for your application frontend, there are two common problems caused by stale cookies that your users might see:

  • Errors when opening the application for the first time in a while, which disappear after a browser refresh.
  • Errors when interacting with the application after having left it idle for a while, for example when a browser tab is left open during a lunch break.

These problems have different underlying causes in addition to the stale cookies, so require different solutions. We'll discuss those in upcoming posts. See you then!

Compositional IT

© 2025 Compositional IT