If there is an expired cookie, redirect the user to /login #14
Comments
|
Should we keep a second, longer-lived cookie that is also cleared by logout? That way, we can differentiate between a first visit, an expired session, and a logout. |
I think it's simpler than that - cookies should always have max TTL so they never expire. If we validate a JWT that is expired, then we should redirect to /login so that the token is updated. The other issue here is that popular frameworks like next-auth prevent this token expiration by constantly re-issuing tokens with an updated expiration every time it's interacted with. The problem we're having here is that even with constant use, our users are constantly logged out over time. |
No description provided.
The text was updated successfully, but these errors were encountered: