Node.js - Should I refresh cookie with each request/response to update expiration time?

Authentication method

In my Node.js (w/ Express.js) back-end, I authenticate users using JWT that is stored in a cookie with HttpOnly flag. The cookie expires in N hours. A middleware checks if JWT is valid and either calls next() function or sends a 401 status.

Current behavior

If cookie expires, user must log in again, even if he was still using the app.

Desired behavior

I want the cookie to expire in N hours but as long as user is using the app, expiration time must be updated. User should log in again only if N hours have passed from the last time he interacted with the app.

Question

Should I send a new cookie with each response, even if the only thing that changes is expiration time? Is this considered a good practice?


what you need is called refresh-token

you can find more detail about refresh tokens on:

https://www.rfc-editor.org/rfc/rfc6749#section-1.5 and https://developer.okta.com/docs/guides/refresh-tokens/main/