My game uses savedata that is saved on a database which I host. The saves are chosen with a key using the players username. The player can log in and play the game with their save. I want the system to be as secure as possible. I authenticate the user by giving them a unique token every time they log in and storing it in webstorage as a session value; then when an AJAX request is sent it includes the username and token which can then be authenticated. This stops me dealing with the password more than once. I have a logout function which updates the token on the server to a value which will automatically fail authentication so the account is inaccessible without the password input again.
Given this scenario, how can I make it secure?
A user is playing the game, and instead of pressing logout, they just close the tab the game is running in, and so the logout command is never executed. The server still has the token stored and has not been set to the lock value. Somebody could exploit that the token is stored in the browser, and since the server hasn't changed the token, retrieve the token and use it to act against the account.
Would storing the token as a global variable solve this? If not, what can I do?
Is setting the lock value on logout even needed? The token each user has is 64 characters long from a set of 62 characters, giving 5.16497385e+114 possible combinations of token, I feel this could be bruteforced which is why I added the logout lock.