firebase
refresh session cookies
I would like to set the session lifetime for the client to 6 hours. And if the user logged in and did not take any action during this time, then log out him and redirect him to the login page. But if the user has been making requests to the server with a valid token for 6 hours, I would like to update this token and start the token lifetime again.
If I follow the instructions according to the firebase session cookies documentation found here https://firebase.google.com/docs/auth/admin/manage-cookies?hl=en
I can generate the session token on the server in exchange for a idToken and return the session ID to the client as a cookie. And after that we only use the session token between client and server as cookie, We can also check if the session has expired using verifySessionCookie.
but i can't figure out a way of refreshing the session cookie without telling the user to sign in again. could you help me understand how this can be implemented?
I have the same issue, I found a kind of solution but I'm not sure it is secure enough and I'm not sure is a valid way, I never tried this in prod but just play with it locally but, maybe it can help:
const idToken = req.cookies.session;
const session = await auth().verifySessionCookie(idToken, true);
if (session) {
const customToken = await auth().createCustomToken(session.uid);
const response = await fetch(
`${GOOGLE_API}:signInWithCustomToken?key=${process.env.NEXT_PUBLIC_API_KEY}`,
{
method: "POST",
cache: "no-cache",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ token: customToken, returnSecureToken: true }),
},
);
const result = await response.json();
const sessionCookie = await auth().createSessionCookie(result.idToken, {
expiresIn,
});
setCookie(res, "session", sessionCookie, {
...cookieOptions,
maxAge: expiresIn,
});
return res.json({ session, customToken, sessionCookie });
}
I use this in a refresh endpoint so you call that whenever you want to refresh the cookie
