When I was developing my app, Ryan told me that this was the preferred way of doing things. From a developer's perspective, you should be storing the next hash in the browser's local storage. If the API returns an invalid hash error, immediately log the user out because the cookie is compromised.