I have a situation where we are routing certain URLs to a PHP application and certain URLs to a React app. For example domain.com/user is controlled by the PHP application using traditional PHP sessions and server side rendered pages / PHP templating, and domain.com/info is a static Next.js web application served out of cloud storage.
domain.com/info is static but uses the login mechanism provided by the PHP application to authenticate GraphQL requests to the PHP application's API. So you login at domain.com/login which creates a PHP session (Set-Cookie with PHPSESSID comes back as a header after logging in - note this is an HttpOnly cookie so not accessible via JS on the FE).
At this point from domain.com/info GraphQL requests (e.g. fetch('domain.com/graphql', {'credentials': 'include', ...) are authenticated via the PHP session.
This allows us to have a single point for handling authentication in the PHP application, and share a logged in state across both the Next.js React app and the traditional PHP pages
The question comes in because the fetch request (as far as I'm aware) will not be able to update the expires property in the session cookie. So the PHP session will expire eventually, even if the user is actively using the GraphQL API. The only way to keep the session alive is to actually visit a PHP page. I am wondering if it is possible and what the security implications are of having an edge function (or really any mechanism outside of the PHP application itself) updating the PHPSESSID cookie's expire time on request.
The idea in the Next.js application context would be that there are still actual page loads / transitions because a lot of the site is statically generated and "real" HTTP document requests are happening to the CDN / origin to load the HTML page. At that point it would be theoretically possible to check for a PHPSESSID cookie, if set send a Set-Cookie header with the same exact values but an updated expires time, insuring that the cookie did not automatically expire.