Single page apps: auth token management and browser refreshes
I think option 1 is the best one for your use case. All major web frameworks have support for this option.
In case you need to handle this manually you need to ensure these steps:
- The web service will process the initial authentication request by creating and setting a secure authentication cookie. The auth cookie should be time based(only valid for a specific time interval) and its value should be a unique value if possible;
- After the initial authentication request all subsequent requests will pass the authentication cookie with the request header automatically - this is handled by the browser.
- The web service needs to handle cookie based authentication on subsequent requests by validating the cookie value and returning an error if the cookie has expired.
- You need to ensure a client side global authentication handler captures any authentication exceptions and displays a friendly message to the user.