Session Token Rotation

[nightloewe1]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

I'm implementing an application where I want to have long time session tokens to not force my users to re-login after any period of time. Basically I want them to stay logged in, even for years, for User Experience purposes. But I want to regenerate the session token every 24 hours to reduce an attack vector where one could try to guess the session token over time to get access to an account.

Describe your ideal solution

Ideal solution would be to make an endpoint that may be enabled by config that regenerates the session token or cookie with a new value.

Either by an admin endpoint or user endpoint, e.g.
/sessions/regenerate
Or
/admin/sessions/{id}/regenerate

Workarounds or alternatives

As far as I checked there is no workaround without breaking the intended User Experience

Version

v25.4.0

Additional Context

No response

[vinckr]

Hello @nightloewe1

have you considered this API: https://www.ory.com/docs/reference/api#tag/identity/operation/extendSession ?