Expired Sessions in a Browser App

I’ve got some questions about how to deal with expired sessions in a browser app. It seems like the whoami endpoint returns session data even if the session has expired. So I need to handle that myself?

It seems to me that the login?refresh=true endpoint needs to be used to refresh that session. However the user has to enter their password, which isn’t really ideal in this case. It means I have to set a long session expiry, say 24 hours.

Are there any major security implications of having a long session expiry? Is there a way for a user to extend their session without having to “log in again”?

The issue has been resolved on master and we’ll also be adding a secondary check. The problem was that the cookie expiry time was not correctly being set. So there’s no need for you to work around this, it’s just a bug right now :slight_smile:

Logout behaves correctly!