I'm developing a browser app that allows users to stay signed in on the login screen by storing an authentication token in a cookie. However, I know I can't make this cookie last indefinitely due to security risks. Currently, I've set the expiration to 2 weeks, but I'm curious to hear what others recommend as a reasonable duration for this kind of cookie.
3 Answers
For security purposes, it's best to keep the login session cookie short-lived. However, you can refresh its expiration whenever the user interacts with the app—kind of like resetting an idle timer. This way, as long as they're active, they can stay signed in securely.
What I usually do is set the auth token to expire in 15 minutes, while the refresh token is set for 30 days. This way, users can stay signed in without compromising security.
It really depends on your setup. If the token is standalone and isn't backed by any session validation on the server side, you might want to keep the cookie short-lived. A common approach is using an auth token paired with a refresh token. Since your token holds user details, ensure it aligns with your session management to ensure a good balance between usability and security.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically