Let's say that my user signs in and the server responds with a refresh token saved in a cookie (SameSite strict, HttpOnly, CSRF token too) and with the access token in response (saved in JS memory).
I read these guidelines in a popular Hasura article. I was wondering, though, with this method, my refresh token would be sent on every request since you can't remove a cookie from the client-side.
Is there a downside to this? I feel like sending a token that gives infinite/long-lived access on every request is a bad practice? If so, is there a better approach so that I don't send a refresh token on every request and only on the requests that I want to refresh my access token?
Other ways of doing this would be appreciated as well.