Ok I worked this out myself, by having two cookies, one with a 14 day expiry (if user chooses remember me), and one with a 30 min expiry, which is extended by 30 mins on every request. If the short expiry cookie does not exist, it is recreated from the longer token if that is present.