Session/cookie expire time, match access token or refresh token from AD?
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private network.
I have landed on using Auth Code Flow in the backend with OpenID Connect against AD FS. The backend will issue out a http only, secure and same-site=strict cookie to the SPA. With anti-CSRF tokens of course.
However I am not sure what the max expire time should be for the cookie. The id token/access token from AD FS lasts 1 hour and the refresh token lasts 8 hours.. Currently the library I am using (OpendIdConnect in .NET) will set the cookie expiry to match the id token: one hour. Halfway through the expire time I will try to refresh the access token, if successful, extend the cookie expire time with one hour AND issue out a new cookie/session, deleting the old one. This makes it complicated in the frontend, having to track expire/refresh time so that multiple concurrent requests don't refresh and send requests with old cookie at the same time.
I can't find examples of people doing authentication this way, as in setting the expire time to be the access token expire and issuing out a new cookie on each refresh. To me it seems pointless, since it won't help against XSS attacks. If an attacker can run code through the frontend, the attacker will have a session that is extended either way, no matter what I do. If I can't avoid this type of situation anyway, why can't I just set the cookie to match the refresh token length, 8 hours with a sliding expiration of 10-20 minutes based on if the user is active? On every extension of the length, I'll do a request to refresh the access token to update the users' identity if permissions have been changed or see if it is revoked. Maybe having a shorter RT length would also help.
Also, are there maybe other ways I can mitigate potential XSS attacks? When I login to my bank, I see a bunch of secure cookies being set in my browser. This makes me think my solution (regardless of expire time) seems weak (I only have one).
