Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mobile browsers access_token cookie deleted earlier than JWT expiry #256

Open
Pirulax opened this issue Apr 16, 2024 · 1 comment
Open

Mobile browsers access_token cookie deleted earlier than JWT expiry #256

Pirulax opened this issue Apr 16, 2024 · 1 comment

Comments

@Pirulax
Copy link

Pirulax commented Apr 16, 2024

The Max-Age of the access_token should perhaps be explicitly set to be the same as the exp of the JWT, this way (hopefully?) mobile browsers will keep the access_token for longer . Right now the Max-Age attribute is unset, which translates to Session (At least that's what the dev console says), which causes mobile browsers to not save the token for long enough (Once the page switches to "Preview" the token seems to be gone which is rather annoying) (See this).
I'm not entirely sure if this is the best solution to my problem, perhaps refresh tokens would be a better solution? (I guess they're stored differently, rather than per-session? Even if not, it seems to be a more "secure" solution.
@Pirulax
Copy link
Author

Pirulax commented Oct 24, 2024
edited
Loading

According to a source:

...cookies that do not explicitly set an expiration date with Max-Age or Expires—as these are instead cleared when the browsing session ends....

That is, by default the JWT cookies expire before the JWT itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Pirulax