JohnF.97118 (Customer) asked a question.
I have a product development team who are trying to create a session "keep alive" process using the Sessions API. However, it doesn't seem to be working as expected. This is to get around the idle timeout for users actively working on a page, while still maintaining the idle timeout for users who are genuinely idle.
The current user session can be retrieved via the sessions/me endpoint. The session ID can then be successfully used to call the lifecycle/refresh endpoint. When the me endpoint is called again, the expiry time of the session reflects the update as a result of the refresh. Everything appears to me working as expected in terms of the Sessions API.
But... the session still expires at the original session expiry time; not the updated time. Attempting to retrieve new access tokens beyond the original expiry time forces the user to have to reauthenticate. This is unexpected. The system should honour the new session expiry time and maintain the session life accordingly.
It would appear as though the Sessions API refresh action updates the expiry time of the session on the server, but this is not reflected in the session cookie on the browser?
Does original session expiry time mean the user login one application, then okta create a new session for this uset. I think the application policy may define like reauthenticate in every 2 hour. could you check it. could you provide global policy and application policy?
The global session policy is for the session to expire after 2 hours of idle. The purpose of the Sessions API endpoint is reset the idle timer and therefore extend the session by 2 hours. But this does not happen.
could you call an api before you refresh the token?