There are different ways to handle sessions with Magic. You can either rely on Magic for session management, or rely on your own backend, which can offer more flexibility.
Relying on Magic for session management
When a user logs in, they create a new session that is valid for 7 days. Unless the user explicitly logs out, they won’t have to log in again for 7 days. It's possible to customize session length in the Magic dashboard.
As a developer, call magic.user.isLoggedIn() to check if the user is authenticated with Magic on your application. (link)
Relying on your backend for session management
If you have a backend, you can manage user sessions with either cookies or by relying on the DID token Magic provides.
Cookies
After a user authenticates, they will create two sessions, one with your app (first party), one with Magic (third party). You will rely on your first party session, managed by having your server issue a cookie to each user once they successfully login. The cookie can contain user-specific data allowing you to tell who makes each request. The cookie can also be encrypted before it's set inside the client, and decrypted by your backend on each request so you can read from it. With this setup, Magic only serves as the authentication layer.
See our guide here for managing sessions with cookies and JSON web tokens https://magic.link/posts/magic-jwt
DID Tokens
When a user logs into your app, call magic.user.getIdToken({ lifespan: num-seconds-token-is-valid }) and pass in the lifespan argument to get a unique DID token. The lifespan parameter will set the expiration date of the DID token to that many seconds in the future. On each request to the server, validate the DID token to know if they are authorized. (link)
TIP: You can now customize session lengths in the Magic Dashboard. More info here.