I’ve got some questions about how to deal with expired sessions in a browser app. It seems like the
whoami endpoint returns session data even if the session has expired. So I need to handle that myself?
It seems to me that the
login?refresh=true endpoint needs to be used to refresh that session. However the user has to enter their password, which isn’t really ideal in this case. It means I have to set a long session expiry, say 24 hours.
Are there any major security implications of having a long session expiry? Is there a way for a user to extend their session without having to “log in again”?