I have the following scenario:
- A user visits my SPA (web).
- The user logs in and receives an access token that will expire in, let’s say, 1 hour. The token is stored in local storage.
- An hour is passing by and the user is still using the application.
- The user has to re-login and loses unsaved work
As I understand there are a few different solutions:
- Refresh token. But this is not to prefer in a SPA (since there is no safe place to store the Refresh token)
- Extend the lifetime. The problem will remain. Even if I set the lifetime to one day the user can leave the browser open and get back to work right before the time expires.
- Silent Authentication but that requirer SSO which I do not use.
What is the best practice?
Ideally, I want to keep the user logged in for a week and if the user visits the site within that week the session should be extended. Meaning; if the user keeps coming back the user will be logged in forever. Is this possible?
Is it possible to get a new access token from an existing one (that is still valid)?