Expired Sessions in a Browser App

I’ve got some questions about how to deal with expired sessions in a browser app. It seems like the whoami endpoint returns session data even if the session has expired. So I need to handle that myself?

It seems to me that the login?refresh=true endpoint needs to be used to refresh that session. However the user has to enter their password, which isn’t really ideal in this case. It means I have to set a long session expiry, say 24 hours.

Are there any major security implications of having a long session expiry? Is there a way for a user to extend their session without having to “log in again”?

The issue has been resolved on master and we’ll also be adding a secondary check. The problem was that the cookie expiry time was not correctly being set. So there’s no need for you to work around this, it’s just a bug right now :slight_smile:

Logout behaves correctly!

I have pulled latest code on master, built docker and deployed to k8s, but it seems log out flow doesnt work correctly. After logging out from browser, i request to whoami endpoint with session id in cookie and still get result with valid session. Or i misundestand the point that when log out we doesnt set session expire ?

There’s another patch which is part of a bigger change waiting to be merged. It adds active flags to sessions to ensure valid sessions!

1 Like