arnar
commented
2 months ago We do expect that browsers try to pre-emptively refresh before the cookies expire. This takes some care as indefinite background pings when the user isn't actually using that website/app don't quite make sense from a privacy perspective. So we've left the triggers and timing for this that browser implementations should control.
To remove latency from calling APIs where the cookie has expired and the browser does the refresh adding latency, I would likely set a timer to POST to /securesession/refresh on a regular basis. Perhaps doing this could be part of the API?