I'm using the jsonwebtoken package in node js. I'm generating a token like so:
var token = jwt.sign({ email: email }, secret, { expiresIn: 144000 });
The token is generated, but when I look at Chrome's cookies console, the value of "Expires / Max-Age" column is "Session", and not 24 hours from now as I would expect. I also tried setting expiresIn to '1d', but the result was the same.
Thanks.
Once the server computes the token, it must send it to the client. It is then the responsibility of the client to send the token as argument of the Authorization HTTP header for each subsequent HTTP request. In other words, the client is responsible for communicating the application state to the Web server for each single HTTP request.
How the client is going to store such information is out of the Web server's concerns, which only cares about the state of its own resources. Two common strategies are local storage and, again, cookies.
Since the token is self-contained, the server does not need to store the client state. That is, no server-side session is required, thus making the corresponding session cookie settings unrelated to the behavior of the token. As a matter of fact, the server only needs to decode the token as provided in the HTTP Authorization header in the request, and check the exp date. If the reported timestamp is greater than the current one, the token has expired and the server should refuse to further process the request.
Observe that these two aspects (i.e., the need for the client to take care of the application state and the consequent absence of such data in the server) allow implementing a client/server interaction in accordance with the REST stateless constraint.