timed refresh mechanism

[dickhardt]

To remove latency from calling APIs where the cookie has expired and the browser does the refresh adding latency, I would likely set a timer to POST to /securesession/refresh on a regular basis. Perhaps doing this could be part of the API?

[arnar]

We do expect that browsers try to pre-emptively refresh before the cookies expire. This takes some care as indefinite background pings when the user isn't actually using that website/app don't quite make sense from a privacy perspective. So we've left the triggers and timing for this that browser implementations should control.