diff --git a/app/controllers/api/v1/tokens_controller.rb b/app/controllers/api/v1/tokens_controller.rb
index 7a88892e2..d8286e74d 100644
--- a/app/controllers/api/v1/tokens_controller.rb
+++ b/app/controllers/api/v1/tokens_controller.rb
@@ -84,7 +84,7 @@ def generate
 
       # TODO(ezekg) make default session expiry configurable
       session = token.sessions.build(
-        expiry: token.expiry.presence || (1.week + 12.hours).from_now,
+        expiry: token.expiry.presence || 1.week.from_now,
         user_agent: request.user_agent,
         ip: request.remote_ip,
       )
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
index 2eb59b02c..7bfe1503b 100644
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -127,6 +127,7 @@ def http_cookie_authenticator(cookie_jar)
 
     if session.last_used_at.nil? || session.last_used_at.before?(1.hour.ago)
       session.update(
+        expiry: session.expiry + 12.hours, # extend expiry while in use until MAX_AGE
         last_used_at: Time.current,
         user_agent: request.user_agent,
         ip: request.remote_ip,
diff --git a/app/models/session.rb b/app/models/session.rb
index 9e6b766fb..b5f460e4e 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Session < ApplicationRecord
+  MAX_AGE = 2.weeks
+
   include Denormalizable
   include Environmental
   include Accountable
@@ -15,5 +17,5 @@ class Session < ApplicationRecord
   denormalizes :bearer_type, :bearer_id,
     from: :token
 
-  def expired? = expiry < Time.current
+  def expired? = expiry < Time.current || created_at < MAX_AGE.ago
 end