I am trying to secure my login system using authentication cookies.
If the user tries to access a protected resource they must provide an authentication cookie. If the cookie is valid, the request is authenticated and the resource is returned, along with a new auth cookie for the user.
I rotate the auth cookie as an extra protective measure. In case anyone managed to steal it, it would only be valid until you made your next request.
However, if the user makes a request and the server authenticates it, but before the resource and new cookie reaches the client the user closes the browser, then that means the browser’s cookie is not the same as the token in the database. Any further requests can’t be authenticated and the user is forced to log in again.
What’s the correct approach to this? Should I not send a new token with every response? Should the browser confirm that it received the new token?