We have a requirement to automatically logout / redirect users to the login page after X idle time. This will most likely be implemented with some type of JavaScript method that would require minimal but some knowledge of the session details. The application authenticates via an IDaaS provider that returns a JWT. We could stuff just part of the JWT such as the expiration into a cookie but we're required to use httpOnly which isn't available to JavaScript.
My thought is to create a second cookie with simply the automatic logout time / expiration. It would be independent of the actual server-side session management and really just to handle the redirect. In our security audit I'm sure we'll still be dinged for a non-httpOnly cookie though. My other thought is to create a JS timer to handle the redirect (again, unrelated to actually invalidating the JWT). So what is the best practice to handle the automatic logout / redirect?
