We rolled a 30-minute idle timeout last night and a few users now hit a 401 on their first request after reloading, until they do a hard refresh. I can reproduce in Chrome 121 on Windows 11 with a stale session cookie — has anyone solved this server-side with cache headers/nginx or token refresh logic, so we don’t have to tell users to clear cookies?
I’ve seen this when the app shell gets cached — treat the stale cookie like an expired wristband and tear it off on 401 (Set-Cookie: session=; Max-Age=0), and set Cache-Control: no-store, must-revalidate plus Vary: Cookie on the HTML/auth endpoints. If you’re on nginx/CDN, add proxy_cache_bypass $http_cookie; header refs: Cache-Control header - HTTP | MDN. Are you behind a CDN?