Best approach to keep user session alive in Mobile apps

Question

We have developed a mobile application (Android & iOS) which has custom login with limited session expiry time (3 days). The session will expire after 3 days and we are showing Login page to re-login.

But we don't want to show login page to the user. What are the best approach to do that.

Approach 1:

In the server side, do not set the expiry date to the generated session. So that session will not expire until user logged out.

Approach 2:

In UI, save the username & password in permanent storage like sqlite & etc. When the session expired (after 3 days in my case), UI has to send hidden login call to get new session id. In this case we will not redirect to login page.

How other mobile apps keep the session Id's alive till user logout.

Please suggest me any other best approach apart from above 2 approaches.

Answer 1

You can use following approach to solve your issue, I have faced same issue and used same approach :

Server should send a extra RefreshToken with your sessionId. Or server should provide a different API to refresh your sessionId with that refreshToken.

So suppose you get “invalid token” error, then you need to follow following steps :

• call RefreshToken API using last saved RefreshToken.
• Server should refresh that sessionID & reset expiryTime to 3 days and reply you with new SessionID.
• Server should create new RefreshToken at their end only whenever you logOut/login again And when 3 days expires(means user haven’t used app for 3 days so he should be logged out).
• So you should be logout only when that RefreshToken expires.
• you will get new sessionID and then use that for further requests & for that request on which you got that error.