We're thinking of bumping the lifetime of our Apigee refresh tokens from 1 day to 6 months to simulate a "always signed on" experience for our end users. What are the security best practices around such long-lived refresh tokens? (Secure cookie attributes, ReuseRefreshToken, custom theft detection and revocation, etc.?)
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |