← Back to Docs
Recipe

Cookie Strategy

Session persistence, token rotation, and secure cookie configuration for Meridian-authenticated clients.

Overview

Meridian issues a signed session cookie after successful license validation. The cookie is HttpOnly, SameSite=Strict, and scoped to your application domain. The loader refreshes it transparently before expiry using a short-lived refresh token held in memory.

Cookie Structure

Set-Cookie: nimbus_session=<jwt>;
  HttpOnly; Secure; SameSite=Strict;
  Path=/; Max-Age=3600

The JWT payload contains the hardware-bound fingerprint hash, license tier, and expiration epoch.

Rotation Flow

  1. Loader calls /api/session/refresh with the in-memory refresh token.
  2. Server validates the refresh token against the license key and fingerprint.
  3. New session cookie is issued; old refresh token is invalidated server-side.
  4. Loader stores the new refresh token in guarded memory, discarding the previous one.

Offline Grace

When the refresh endpoint is unreachable, the loader falls back to an HMAC-signed offline cache. The cache is valid for 72 hours and is bound to the same hardware fingerprint present in the original session cookie.

Security note

Never store refresh tokens in localStorage or sessionStorage. The Meridian loader keeps them exclusively in PAGE_GUARD-protected heap allocations that are zeroed on process exit.

← Session PersistenceLicense Validation →