Node.js - Should I refresh cookie with each request/response to update expiration time?
Authentication method
In my Node.js (w/ Express.js) back-end, I authenticate users using JWT that is stored in a cookie with HttpOnly
flag. The cookie expires in N hours. A middleware checks if JWT is valid and either calls next()
function or sends a 401 status.
Current behavior
If cookie expires, user must log in again, even if he was still using the app.
Desired behavior
I want the cookie to expire in N hours but as long as user is using the app, expiration time must be updated. User should log in again only if N hours have passed from the last time he interacted with the app.
Question
Should I send a new cookie with each response, even if the only thing that changes is expiration time? Is this considered a good practice?
what you need is called refresh-token
you can find more detail about refresh tokens on:
https://www.rfc-editor.org/rfc/rfc6749#section-1.5 and https://developer.okta.com/docs/guides/refresh-tokens/main/