Session should NOT expiry having the browser open

[pditommaso]

The session should never expiry as long as the user keeps the browser open in the application.

[pditommaso]

This is still happening!

[pditommaso]

Related https://security.stackexchange.com/questions/166704/jwt-a-solution-to-let-the-token-expire-after-a-certain-time-of-inactivity

[tcrespog]

I never made any progress regarding this issue Paolo. Nevertheless, the session cookie achieves this behaviour (kind of, because some browsers keep the session cookie even if the browser is closed, it depends on the browser).

If you want to implement this with the JWT mechanism, maybe setting an expiration time of 0 means the JWT never expires (haven't tested it, although in practical terms a very large value like Integer.MAX will achieve the same behaviour). Using an "infinite duration" token in combination with sessionStorage instead of localStorage to save the user data could do the trick. The caveats are: on the one the one hand, that sessionStorage doesn't persist data through tabs of the same window or other browser windows (but that might not be much of a problem because this is a Single Page Application), on the other hand, that JWTs would never expire (the only way to invalidate them would be to change the signing key (link) on backend restarts).

Another option would be to have a reasonable expiration date and refresh the token in the background from time to time.