I'm working on a client-server setup for my single-page application (SPA). After a user logs in, I use the OAuth flow to retrieve their user ID, and my backend sets both an access token and a refresh token in cookies. The access token expires after 15 minutes while the refresh token lasts for 24 hours. Currently, the refresh logic operates through an Axios interceptor, which functions well. However, I'm struggling with handling refresh token expiration. If an API request fails because the refresh token has expired, I initially redirect the user back to the OIDC provider. But this poses a problem since the refresh token is valid for a full 24 hours, potentially interrupting users who are actively using the app. Any suggestions?
2 Answers
Totally get your struggle! For a 24-hour expiration, a hard redirect feels a bit aggressive. Have you thought about showing a modal first to ask if the user wants to extend their session before redirecting? That could give them a more graceful way to stay logged in.
I've faced a similar issue before! Instead of forcibly redirecting users, consider catching the refresh token failure and displaying a small modal or toast notification that says, 'Session expired, please log in again.' This way, you give users a heads-up and allow them to save their work before you redirect them. Sudden redirects can be quite jarring, especially in SPAs.
Exactly! Plus, being proactive with your refresh logic helps a lot. You shouldn't let refresh tokens sit until they expire. If your expiration is set to 24 hours, try refreshing the user's session every 8-12 hours instead. Keeping it under 50% of the expiration time can significantly minimize the chances of hitting that expiration wall.
If users decide they want to continue their session, would I simply regenerate an entirely new set of refresh and access tokens, ignoring the need for the expired refresh token to be valid?