the session will expire up to one month after its creation.
fixed it
The session could be lost of die way before that. Since a session relies on a client side cookie.
If you only want to keep user tokens for up to a month then you should be using implicit auth which will generate a token good for ~60 days and doesn’t provide a refresh token.
The whole point of a refresh_token is you store it in a database forever. Not for one month.