Hi @Lonli-Lokli! Yes, a refresh token is not required when creating a cookie as they are independent of each other - see similar discussions here - How will session expire time and refresh token lifetime work together? - #2 by andrea. Specifically, if a user’s session expires they will still have access to the application with the refresh token option enabled, so be sure to revoke the user’s tokens on logout.
sigama
4
Related topics
| Post | Replies | Views | Activity | |
|---|---|---|---|---|
| Difference between session.setCookieAndRedirect() and signInWithRedirect() | 8 | 6165 | February 8, 2024 | |
| How to get session cookie | 7 | 9342 | February 12, 2024 | |
| Clearing Okta session SID cookie from the browser | 13 | 5708 | February 12, 2024 | |
| Okta SignIn Widget and Refresh Tokens | 19 | 7616 | January 25, 2024 | |
| What are the sid, jsessionid and srefresh cookies for? | 2 | 2400 | March 4, 2024 |