Just to clarify myself. If I have already logged in and now closed the window. Again open a tab and send request to the server, won't the token/cookies/sessioninfo etc. be sent in the initial request to the page? And if the auth info is sent via the headers, can we not check the user login status (expired sessions) at the server and send the right component back?