.gif)
Discover why session expiration occurs in Lovable and learn best practices for managing token expiry, session state, and secure token handling.
Book a call with an Expert
Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.
Understanding Session Expiration
When we talk about session expiration without proper handling in Lovable, we refer to a situation where a user’s active session stops working unexpectedly. This happens because the system allows the session to time out due to inactivity or overdue credentials. Think of it as a temporary pass that allows you to continue using a service, which automatically ends after some time if not renewed.
.png)
.png)
# Example: Starting a user session
user\_session = {
"username": "exampleUser",
"token": "secureToken12345",
"expiry": current\_time + 3600 # Expires in one hour
}
Reasons Behind the Occurrence
Several factors can lead to session expiration issues in Lovable without proper management:
# Example: Checking for expired sessions
if current_time > user_session["expiry"]:
# Session is considered expired
user\_session = None
# The user would then need to log in again.
Conceptual Insights
Imagine borrowing a library book with a due date. If you forget to renew it on time, the system automatically marks the book as returned, even if you hadn’t finished reading it. Similarly, without the proper process to extend or update your session while using the application, Lovable assumes your activity has ended. This automatic cutoff is crucial for security, ensuring that stale or inactive sessions do not remain open indefinitely. However, when handled without care, it might end your user experience unexpectedly, often leading to confusion.
# Example: Renewing a session (demonstration of concept)
def renew\_session(session):
session["expiry"] = current\_time + 3600 # Extends the session expiry by one hour
return session
# This helps keep the session active, but if not used, expiration occurs.
Understanding Token Expiry and Session State
Token expiry means that the authentication token you receive when logging in has a built‐in expiry time. When the token is expired, the system must renew it so that users can keep accessing protected features without logging in again. Session state tracks whether a user is logged in and stores user information along with the token. This guide shows you how to check if a token is expired, refresh it when needed, and manage the user’s session state—all within Lovable’s code editor.
Setting Up the Token Manager
In Lovable, create a new file named TokenManager.js. This file will contain functions to check token expiry and refresh the token when needed.
function isTokenExpired(token) {
// Decode the token payload to get the expiry value.
// This assumes the token is a JSON Web Token (JWT).
const payload = token.split('.')[1];
const decoded = JSON.parse(atob(payload));
const expiry = decoded.exp;
// Compare the expiry time with the current time.
const currentTime = Math.floor(new Date().getTime() / 1000);
return currentTime >= expiry;
}
function refreshToken() {
// Replace '/api/refresh-token' with the actual endpoint provided by your backend.
return fetch('/api/refresh-token', {
method: 'POST',
credentials: 'include' // Sends cookies if needed.
}).then(response => response.json());
}
async function getValidToken() {
// Get the token from local storage.
let token = localStorage.getItem('authToken');
if (!token) {
throw new Error('No token found. Please log in.');
}
// If token is expired, attempt to refresh it.
if (isTokenExpired(token)) {
const newData = await refreshToken();
token = newData.token;
localStorage.setItem('authToken', token);
}
return token;
}
// For use in other parts of your application.
export { isTokenExpired, refreshToken, getValidToken };
Copy and paste the above code into your newly created TokenManager.js file. This file contains the logic for checking token expiry and refreshing the token when necessary.
Setting Up the Session Manager
Now, create another file named SessionManager.js. This file will help manage the session state by storing whether a user is logged in and handling the user data.
const sessionState = {
isLoggedIn: false,
user: null,
// Call this function after a successful login to update session state.
setSession(user, token) {
this.isLoggedIn = true;
this.user = user;
localStorage.setItem('authToken', token);
},
// Clears all session information when the user logs out.
clearSession() {
this.isLoggedIn = false;
this.user = null;
localStorage.removeItem('authToken');
}
};
export default sessionState;
Paste the above code in SessionManager.js. This file provides easy-to-use methods for setting and clearing the session state.
Integrating Token and Session Management into Your Application
In the main part of your application (for example, in your primary code file like MainApp.js), import the Token Manager and Session Manager. Before calling any protected API, verify that the token is valid.
import { getValidToken } from './TokenManager.js';
import sessionState from './SessionManager.js';
async function fetchProtectedData() {
try {
// Get a valid token (this automatically refreshes the token if it has expired).
const token = await getValidToken();
// Fetch protected data using the token for authorization.
const response = await fetch('/api/protected-data', {
method: 'GET',
headers: {
'Authorization': 'Bearer ' + token
}
});
const data = await response.json();
return data;
} catch (error) {
console.error('Error during data fetch:', error);
// If an error occurs, clear the session to ensure user safety.
sessionState.clearSession();
// Optionally, redirect the user to the login page.
}
}
// Example usage after a successful login:
function onLoginSuccess(user, token) {
sessionState.setSession(user, token);
// Load additional functionalities of your app.
}
Place this integration code in your main application file where API calls and login logic are managed. This ensures that every time a protected resource is accessed, the token is checked, refreshed if needed, and the session state remains up to date.
Handling Dependencies Without a Terminal in Lovable
Since Lovable does not have a terminal for installing dependencies, you must include any necessary libraries via script tags directly in your HTML file. For example, if you need polyfills or helper libraries, add them in the header of your main HTML file.
<!-- Place this in the <head> section of your HTML file -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>
If your code depends on other libraries, include similar script references directly within your HTML. This method ensures that your application has all required dependencies even without a terminal.
Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!
.svg)
Step 1: Understanding Tokens and Sessions
Tokens are small pieces of information that prove a user’s identity. Sessions help keep track of a user’s activity once they are logged in. In Lovable, you want to securely generate tokens and manage sessions effectively. This means using safe methods to create tokens, store sessions, and check for valid sessions when a user makes a request.
Step 2: Creating a Token Management File
Create a new file in your Lovable project directory called tokenManager.js. This file will have functions to generate and verify tokens. Since Lovable does not have a terminal for installing dependencies, we will use built‑in libraries like Node.js’s crypto (if available) to handle our token creation.
const crypto = require('crypto');
// Generates a secure token using user data
function generateToken(data) {
const tokenData = JSON.stringify(data);
const secret = 'your-very-secure-secret'; // Replace with a secret key and keep it safe
return crypto.createHmac('sha256', secret).update(tokenData).digest('hex');
}
// Verifies if a token matches the data provided
function verifyToken(token, data) {
const expectedToken = generateToken(data);
return token === expectedToken;
}
module.exports = { generateToken, verifyToken };
Insert the above code into the new file tokenManager.js in your main project folder.
Step 3: Creating a Session Management File
Next, create another new file named sessionManager.js. This file will have functions to create, retrieve, and end user sessions. Sessions are maintained in memory for this example, but in a production environment, you might want to use a database or dedicated session store.
const crypto = require('crypto');
// Object to hold session information
const sessions = {};
// Creates a new session for a user and returns a session ID
function createSession(userId) {
const sessionId = crypto.randomBytes(16).toString('hex');
sessions[sessionId] = { userId, createdAt: Date.now() };
return sessionId;
}
// Retrieves session information using a session ID
function getSession(sessionId) {
return sessions[sessionId];
}
// Ends a session by removing it from the sessions object
function endSession(sessionId) {
delete sessions[sessionId];
}
module.exports = { createSession, getSession, endSession };
Add the above code into the file sessionManager.js in your project directory.
Step 4: Integrating Token and Session Management in Your Main Code
Now update your main server file (for example, server.js or whichever file handles HTTP requests). Here, you will import the token and session management modules and use them in your login and protected route handlers.
const tokenManager = require('./tokenManager');
const sessionManager = require('./sessionManager');
// Example login handler function (assumes user is authenticated)
function loginHandler(req, res) {
// Simulated user data after authentication
const userData = { userId: 'user123' };
// Generate a token based on user information
const token = tokenManager.generateToken(userData);
// Create a new session for the user
const sessionId = sessionManager.createSession(userData.userId);
// Store sessionId safely (e.g., in an HTTP-only cookie)
res.setHeader('Set-Cookie', `sessionId=${sessionId}; HttpOnly`);
// Return the generated token to the client in your response if needed
res.json({ token: token });
}
// Example protected route – use session to allow access
function protectedRoute(req, res) {
// Assuming your request contains cookies
const sessionId = req.cookies && req.cookies.sessionId;
// Check if a valid session exists for this sessionId
const session = sessionManager.getSession(sessionId);
if (session) {
// Access is allowed if session is valid
res.send('Access granted');
} else {
// Respond with unauthorized status if session is invalid
res.status(401).send('Unauthorized');
}
}
Insert this updated code into your main project file (for example, server.js) where you handle route definitions.
Step 5: Best Practices and Troubleshooting Tips
crypto in Node.js) or include external libraries using direct script tags if needed in your code.
Review and test your login and protected routes to ensure that the token generation and session management work smoothly. If you encounter an error, check the values in your tokens and compare them with the session data for troubleshooting.
When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.
Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.
CPO, Praction - Arkady Sokolov
May 2, 2023
Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!
Co-Founder, Arc - Donald Muir
Dec 27, 2022
Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.
Co-CEO, Grantify - Mat Westergreen-Thorne
Oct 15, 2022
Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.
Co-Founder, Church Real Estate Marketplace - Emmanuel Brown
May 1, 2024
Matt’s dedication to executing our vision and his commitment to the project deadline were impressive.
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!
Production Manager, Media Production Company - Samantha Fekete
Sep 23, 2022