1

Authentication method

In my Node.js (w/ Express.js) back-end, I authenticate users using JWT that is stored in a cookie with HttpOnly flag. The cookie expires in N hours. A middleware checks if JWT is valid and either calls next() function or sends a 401 status.

Current behavior

If cookie expires, user must log in again, even if he was still using the app.

Desired behavior

I want the cookie to expire in N hours but as long as user is using the app, expiration time must be updated. User should log in again only if N hours have passed from the last time he interacted with the app.

Question

Should I send a new cookie with each response, even if the only thing that changes is expiration time? Is this considered a good practice?

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
treecon
  • 2,415
  • 2
  • 14
  • 28

1 Answers1

4

what you need is called refresh-token

you can find more detail about refresh tokens on:

https://www.rfc-editor.org/rfc/rfc6749#section-1.5 and https://developer.okta.com/docs/guides/refresh-tokens/main/

1sina1
  • 937
  • 7
  • 11
  • 1
    Thanks for the answer. I ended up using a refresh token due to the other benefits it offers: https://stackoverflow.com/questions/10703532/whats-the-point-of-refresh-token. However, what if someone goes without refresh token? Could he follow the approach I describe? – treecon Jan 23 '22 at 06:55