Refreshing sessions for mobile app use

[fr3fou]

Hi! Great library!

I'm developing a mobile app with JavaScript and have been wondering how can I use scs for long-lasting sessions in a mobile app. I've researched a bunch of articles and they all mention that having long sessions (6 months to a year or so) can be dangerous. I want to know how to implement longer sessions without having the user to login every 30 days or so. My plan was to have my server automatically refresh the session (or generate a new one) on the server if a user has made a request recently and the token is approaching its expiration date. How can I achieve that easily with scs?

[alexedwards]

Sorry for the slow reply.

To make this easy, I think I would need to add a Deadline() method which exposes the expiry time for the current session.

If that was added to SCS, then I think you could do something like this:

• Set a session lifetime of 30 days.
• Include some code in your application (probably middleware) which calls the Deadline() method and checks if the expiry time is less than N days away.
• If it is less than N days away, call the existing RenewToken() method (this creates a new session token while retaining the current session data, and the session lifetime is also reset back to 30 days).

I think this should work so long as you are not using an idle timeout on the session and are using the standard LoadAndSave() middleware.

Do you think this would work? Is it worthwhile exposing the session deadline via a Deadline() method?

[alexedwards]

I've added a new Deadline() method in commit https://github.com/alexedwards/scs/commit/33a92ced6c040d4221fadfd9661011459176f842 which exposes the 'absolute' expiry time associated with a session. I think it's a useful information to expose generally, and I think it should help solve this issue too.

I'm going to close this issue, but if the addition of the Deadline() method doesn't solve the problem please feel free to re-open.