Session Refesh (using session cookie) not working anymore

Hi fellow devs,

Last month we started getting reports about sessions not being extended and we noticed that this endpoint is no longer working as expected for us:


This used to work just fine, but now we constantly get a 200 OK result and an extended expiration time until we get a 404 exactly 20 minutes (our timeout is set to that value) after the session is created.

This is the function that we use to extend the session:

function refreshSession(oktaUrl)
{ $.ajax({ type: “POST”,
url: ‘…’,
accept: “application/json”,
contentType: “application/json”,
crossDomain: true,
xhrFields: { withCredentials: true },
success: function (response)
{ //do nothing },
error: function (xhr, status, error)
{ //kick the user out here } });

Any idea about what could have change to break this?

Thanks a lot in advance,


It seems to be working fine to me? I set my Okta session to 5 mins via the sign-on policy. I make a request to /api/v1/sessions/me/lifecycle/refresh and I can see the expiresAt time has been extended. Wait another 4 mins and the request is successful. Are you making sure to extend the session before it expires?

Hi Warren, thanks for your reply

Yes, I am making the request before the session expires. Forgot to mention that this works fine for me too if I run the function from the console at okta’s dashboard (same domain) but is not working when doing the same from our app. domain (and yes, the domain is withelisted).
Maybe this worked for you because you tested from the same domain?


I was testing on http://localhost:8080 but you bring up a good point. Are third-party cookies being blocked in your browser?

Hi Warren,

Thanks again. No, third-party cookies are not blocked in any of the browsers that we are supporting (edge, chrome, firefox). What is very strange about this issue is that we are getting a 200 Ok result and an updated exp time, that is not actually extended in practice at okta’s end.
Yesterday we were able to found a workaround by redirecting the user to another web application that’s also secured with okta, but it’s built with core instead of classic
Wonder if the cookies set at the app domain level are not being refreshed using the classic okta sdk.