Hi, we are working on an offline-first app that may be run on shared computers and are trying to put together a sensible session management process.
We'd initially used the out-of-the-box cookie-based sessions setup and an HttpOnly cookie to mitigate the risk of session hijacking via XSS.
However this poses a problem because when the user's session expires while they are offline, it makes it impossible to clear down that cookie programatically.
Our understanding is that the existing cookie() feature expects to deal with only a single cookie. Also Sessions.Configuration is not an open class so we cannot create our own implementation there, which means we probably can't use the existing feature at all, and would need to reimplement most of the cookie session handling code. Is that correct?
Perhaps you have a better approach for how to handle an offline logout - we'd certainly be interested!