diff --git a/server/internal/handler/auth.go b/server/internal/handler/auth.go
index 5339190c..61807b81 100644
--- a/server/internal/handler/auth.go
+++ b/server/internal/handler/auth.go
@@ -175,7 +175,7 @@ func (h *Handler) issueJWT(user db.User) (string, error) {
 		"sub":   uuidToString(user.ID),
 		"email": user.Email,
 		"name":  user.Name,
-		"exp":   time.Now().Add(72 * time.Hour).Unix(),
+		"exp":   time.Now().Add(30 * 24 * time.Hour).Unix(),
 		"iat":   time.Now().Unix(),
 	})
 	return token.SignedString(auth.JWTSecret())
@@ -302,7 +302,7 @@ func (h *Handler) VerifyCode(w http.ResponseWriter, r *http.Request) {
 
 	// Set CloudFront signed cookies for CDN access.
 	if h.CFSigner != nil {
-		for _, cookie := range h.CFSigner.SignedCookies(time.Now().Add(72 * time.Hour)) {
+		for _, cookie := range h.CFSigner.SignedCookies(time.Now().Add(30 * 24 * time.Hour)) {
 			http.SetCookie(w, cookie)
 		}
 	}
diff --git a/server/internal/middleware/cloudfront.go b/server/internal/middleware/cloudfront.go
index ab749998..b6a27d75 100644
--- a/server/internal/middleware/cloudfront.go
+++ b/server/internal/middleware/cloudfront.go
@@ -18,7 +18,7 @@ func RefreshCloudFrontCookies(signer *auth.CloudFrontSigner) func(http.Handler)
 		}
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if _, err := r.Cookie("CloudFront-Policy"); err != nil {
-				for _, cookie := range signer.SignedCookies(time.Now().Add(72 * time.Hour)) {
+				for _, cookie := range signer.SignedCookies(time.Now().Add(30 * 24 * time.Hour)) {
 					http.SetCookie(w, cookie)
 				}
 			}