What is the recommended way for session refresh?

[HyunnoH]

Hi folks.

We have started integrating Ory Kratos with our React SPA application and backend service. I want to keep active user's session active while the session without recent activity expires.
AFAIK the session could be refreshed before it expires by using a self-service login start endpoint with ?refresh=true or session extend endpoint, but I'm confused about when, who, and where to refresh the session cookie. I have read #615 , #3246 but it's still confusing...

• Should I check the session expiration time for every request and manually refresh the current session? or are there any alternatives?
• Is it good and safe to renew the session in the backend application for each API call?

[MichaelMarner]

Refreshing the session by starting a new login flow with ?refresh=true will force the user to re-enter their password. This is good for cases where you want to re-verify the user, such as when they are about to perform some destructive action.

However, it isn't the right approach to just keeping a session active, which you want to happen transparently to the user in the background.

The way we have dealt with this is our API has an extend session, which in turn calls Kratos's backend API extendSession method. We have our apps configured so that on startup they call this API to extend the session. This works fine for our requirement of "user stays logged in for up to 2 weeks of inactivity".

[HyunnoH]

Hello @MichaelMarner, Thanks for the solution. Does your solution involve implementing a separate session extension API that internally calls Kratos' session extension API, and then calling that API on every initial page load?

[MichaelMarner]

Yes that's right. We have our own authenticated API, which clients call. This API uses the Kratos admin API to extend a session.