Can't stay logged in on iOS for more than a couple of hours...

I have an app – Ionic 3.20.0, Angular 5.2.10 – which uses JWT for authentication (via angular-jwt 1.1.0) against my web server. Everything works fine unless my app is idle for more than a couple of hours. Then when I try to access a page that requires authentication I get a 401 back from my server.

What’s strange to me is that on Android everything works fine. I can stay logged in for several days at a time. In fact, I don’t recall ever being bumped from a session on Android in the two months since I created the app.

At first I thought it was an issue with Ionic storage perhaps not actually committing my token to the database. So I switched to Native Storage and still got the same problem. So then I changed the way angular-jwt gets my token. I initially had my tokenGetter function pulling from storage via: return storage.get('accessToken'); but I changed things around so that the token is just a variable/property on my Auth service. So now my tokenGetter does: return auth.token; But I still get the same results.

I’m continuing to try to debug this but it seems like my app is just in a weird state when I come back to it after it’s been idle for a couple of hours. Almost like some of the variables and/or objects are trashed. I’m wondering if anybody has seen such a difference in behavior between Android and iOS with regard to session management. Any input would be greatly appreciated.

I’ve created multiple apps with JWT auth and actually never experienced something like this! If it works on Android I guess the expiration date of your JWT is fine; however recently I used a library that was not calculating the date correctly and therefore returned that the token was invalid so perhaps start checking that date as well.

Otherwise, however you use storage/variables, make sure Cordova is loaded once you access the values. If you store the token in like Ionic Storage + SQL there’s really no way that token get’s deleted while the app is in the background!

Thanks for the expiration date idea. I’ll look into that.

Looks like I’ve got it solved! Thanks again for pointing me toward looking at the expiration time. Turns out the Access-Control-Max-Age header was being set to 1 hour. I’m using a Ruby on Rails backend and the JWT library I’m using defaults the header to 1 hour. I’m now explicitly setting it to 30 days and so far, so good.

But now I’ve got to figure out why it wasn’t expiring on Android! I think the Android app may be sending cookies along with the token…

Anyway, thanks again!