I recently started LTI development and I would like to know more about securing LTIs . I understand  OAUTH 1.0 message signing service where LMS system can be verified but would like to know more about below

Session establishment :

How to create and maintain a session between LTI BackEnd(API/Controller) and LTI FrontEnd(Angular/React). (Usually SPA applications are best supported with implicit grant and am not sure how to implement here as we don't have logins).

can we access the current canvas user session in LTI. ?

can we create a token based on current userid and role and store it in a cookie(set the expiry for 30min or 1 hour) and use that for all the requests?

what is the best way to handle token expiry(do we need to launch LTI request again)?

Practices:

Can any one please suggest best practices that could be followed to secure LTIs from their Practical/Personal experience