Some Minor Issues on json Plus web Plus token

  node.js, question

Now the implemented token authentication method is that the user submits the user name and password when logging in, and then the server judges that the login is successful according to the user name and password, and generates a short Life cycle token (which contains the user ID). After the client receives the token, it will bring the token with it every time it requests. The server verifies the token and returns the data if the verification is valid.
Now I want to confirm three things:
1: Do you need to update the Life cycle of this token immediately after the verification is successful?
2: Considering that since hackers can steal cookie, which can naturally steal token, and how can security be guaranteed?
3: What should I do if I want to realize the automatic login of the client? Is it necessary to include the password when generating token, and if so, how can the password be secured?