I have a SPA app and have followed this tutorial here:
It seems that token renewal works, but as I understand it how this works is, a token will be renewed if a user is active during the session that the token expires, e. g.:
- User opens site
- Token valid for 1 more hour
- User is on site for the full hour and longer
- Token gets renewed
But what happens if the user leaves already after 30 minutes? Now the user will be marked as logged out when he’s back several hours later. The problem I have with this is that I do not want my users to be logged out yet. Think of any random site such as Product Hunt, you might not be on there every 2 hours such as on Facebook, you might come back every 1-3 weeks. Do sites like these simply increase their token expiry to be very high so it looks as if the token didn’t expire?
I believe token can be set to have a longer token expiry but is this how you should solve my problem or is there another renew mechanism you should use?
Also, another question I have about this based on the SPA demo … Let’s say the user hasn’t been on the site for over 2 hours, is it OK to simply renew the token, or how does the user get logged in again? Do they manually need to click on a login button?
Oh and if increasing the duration is fine, then I guess this needs to be done for the JWT (clients settings) and for the auth token (API settings)?