PWA: Keep user logged in

Question

I'm developing a PWA in ASP.NET MVC and I want to know if there is a possibility to keep the user's session alive indefenitely.

Thanks in advance.

Answer 1

Yes

If you use token authentication, which you should be doing, then you persist the user's token in storage. I use IndexedDB, but localStorage works as well. You then add the token to the authentication header of any request requiring authentication.

You will need to configure your identity solution, like AWS Cognito, Auth0 or Identity Server to allow the user's token to persist indefinitely.

Most identity solutions have the notion of a refresh token. This is because keeping the same token is a bad security practice. So you silently update the id token in the background while they are working. This keeps the token fresh and helps UIs from constantly nagging for login.

Now is it a good idea to keep someone logged in forever? No, not really. You should set a threshold that will trigger them to reauthenticate at some point in time. Most applications I work on use either 1 day, 1 week or 30 day windows.

**Note I did not mention MSFT identity b/c it is just awful.