Recipe

Session Management

How Meridian handles user sessions, token refresh, and secure logout across the dashboard.

Token Architecture

Meridian issues a short-lived access token (15 minutes) and a long-lived refresh token (7 days) stored in an httpOnly cookie. The access token is held in memory only — never written to localStorage or sessionStorage.

Refresh Flow

When a 401 response is received, the client calls /api/auth/refresh. If the refresh token is valid, a new access token is issued and the request is retried transparently. If the refresh token is expired or revoked, the user is redirected to login.

Logout

Logout clears the httpOnly cookie server-side and invalidates the refresh token in the database. The in-memory access token is discarded by the client. No residual state remains.

Concurrent Sessions

Each login creates a unique session record. Users can view and revoke individual sessions from the dashboard security panel. Revoking a session immediately invalidates its refresh token.

Security Note

Access tokens are never exposed to third-party scripts. The httpOnly cookie flag prevents JavaScript access to the refresh token, mitigating XSS-based token theft.

← Auth Middleware Rate Limiting →