Bug: Inconsistent session status
The status of my user session on LW2 is halfway-preserved by cookies (with everything else reset). The top bar shows the username on the initial page load, but changes to “LOGIN” on any refresh.
I have not investigated, but I suspect using some mechanism for session permanence that was not meant for that purpose (LocalStorage etc.).
I don’t have super strong opinions on this. Meteor uses localStorage for the account system, and they explain their reasons in this blogpost: https://blog.meteor.com/why-meteor-doesnt-use-session-cookies-e988544f52c9
We are probably stuck with that, until we decide to migrate away from Meteor, which we will do eventually, but probably not in the next few months. I am curious what problems it is causing you.
I do not preserve LocalStorage outside of browser sessions. So to use the site, each time I have to first refresh it until it notices that I’m no longer logged in, and then log in again.
The arguments in that blog post have essentially no substance, because all the security problems with cookies they point to (except maybe one which doesn’t apply to LW) can be matched to analogous but less publicized problems with their method. But this seems pretty irrelevant to any actual reason for the state of things.
Would it be feasible to get consistency by using only LocalStorage and no cookie?
It would definitely be a bunch of work, since a bunch of libraries we use also use cookies. If there is a strong argument for the benefit, I would definitely consider it.