[danielweber]

> Now all token s auto-invalidate after a certain period.

You need to make sure that there is some process that will refuse to keep on re-upping the cookie lifetime. Otherwise an attacker could indefinitely keep the stolen cookie alive.

[Normal_gaussian]

If you see a suspicious usage pattern then force a login by invalidating the tokens. Allowing indefinite refreshing is a feature and a drawback of this method.

[merb]

You CBS Combine a session cookie with a jwt Token That get sent over a Header

[Normal_gaussian]

Which gives you the worst of both worlds