What is the recommended way for session refresh?

[HyunnoH]

Hi folks.

We have started integrating Ory Kratos with our React SPA application and backend service. I want to keep active user's session active while the session without recent activity expires.
AFAIK the session could be refreshed before it expires by using a self-service login start endpoint with ?refresh=true or session extend endpoint, but I'm confused about when, who, and where to refresh the session cookie. I have read #615 , #3246 but it's still confusing...

• Should I check the session expiration time for every request and manually refresh the current session? or are there any alternatives?
• Is it good and safe to renew the session in the backend application for each API call?

[MichaelMarner]

Refreshing the session by starting a new login flow with ?refresh=true will force the user to re-enter their password. This is good for cases where you want to re-verify the user, such as when they are about to perform some destructive action.

However, it isn't the right approach to just keeping a session active, which you want to happen transparently to the user in the background.

The way we have dealt with this is our API has an extend session, which in turn calls Kratos's backend API extendSession method. We have our apps configured so that on startup they call this API to extend the session. This works fine for our requirement of "user stays logged in for up to 2 weeks of inactivity".

[HyunnoH]

Hello @MichaelMarner, Thanks for the solution. Does your solution involve implementing a separate session extension API that internally calls Kratos' session extension API, and then calling that API on every initial page load?

[MichaelMarner]

Yes that's right. We have our own authenticated API, which clients call. This API uses the Kratos admin API to extend a session.

[roy-ruby]

Hi @MichaelMarner. I used Extend session API to extend session_token and it worked: expires_at changed. But if session_token expired before I call API to extend, this session will be inactive (active: false) and I can not continue using this session. So a user must re-input username and password again. I wonder do we have anyway to re-active this session or any idea?

[mathportillo]

Maybe useful to note that aeneasr said on the session renew PR that automatic extension by read operations like /whoami would be suceptible to CSRF

He is referencing to this comment on the issue that preceded the PR

So the current conclusion is that no config would auto refresh by read only operations like whoami

So the current available methods (as seen on that PR) is exactly what @MichaelMarner said in his comment

1. [...] starting a new login flow with ?refresh=true (docs)
2. Use Kratos's backend API extendSession method

More info in the docs:
https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions