We’re using Hydra with our first-party SPA. The tokens are being stored in session storage, with the access_token having a lifetime of 1 hour. When a user closes the browser tab/window, the tokens are destroyed. However, if the user neglects to log out, they can return even days later and will be logged into their account (this is an undesirable behavior). We’ve traced this to Hydra’s session cookie.
Is there a way to disable this cookie, or set it to expire after short period (after 1 minute, for example)?
Or, if there’s a better way to handle this (or if I’m missing an important concept), I’d love to hear your suggestions.