the server will set cookie to the browser when the user logs in/ signs up. i can verify the jwt token in context. with that, i get the expiration time. i’m thinking of “refreshing” the user’s cookie by setting a new cookie if they’re still communicating with the server, let’s say the last 5 minutes before the cookie expires.
i’m not sure if this is how you do it.
It is what we are doing.
We have 2 variables:
TimeJWT and timeBeforeRefresh
Each time the API is triggered, we check if the JWT is valid and if yes, we check if it is time to send another new JWT.
We use http only so it’s quite easy to send the new cookie form the backend. No need to do anything in the frontend.
We also have added a unique sessionId in the token which is save on the user level.
It helps to invalidate the JWT when we need to.
We have the trailing session and the invalidate action.
Finally in the frontend we have set an idle function where it asks to the backend every 30 sec if the user is logged in or not. This endpoint is not triggering the refresh token.
This logout the user from the app if the user is nit log in anymore