I'm developing a web-frontend to configure a hardware device (almost like a router), wich runs a nodejs backend to serve an Angular Frontend for Configuration. I use JWT to secure stateless requests to the backend. One feature is to set the system time via the Frontend, by issuing a command to the backend, which sets the local machine time, to deal with timezones. Problem is, when the time change is more than the 30 min in the past, the user gets logged out due to session timeout. What would be the best way to solve it? My approach was to set the timeout to indefinite, change system time and change the timeout back to 30 min, using a refresh token. Any other ideas? Thanks.
If you ask me, using expiration time in JWT when system time can change does not make sense. So my options would be:
- Do not use expiration time at all
- Use refresh tokens
- Revoke all issued tokens
- Time history: Accept the old tokens by calculating the date they were issued. You can know when a token was issued by adding a unique and incremental jti identifier. When system time changes, store the current jti value and the difference between old and current time
jti - time diff
You can empty the list when the maximum expiration time is exceeded
You could implement a refresh token. So whenever the access token expires, the user can request a new access token, using the refresh token.
Related
I have a requirement where I need to communicate with Snowflake Sql-Api in the back-end from my application. As I come across the snowflake sql-api documentation, it supports authentication using either oauth access token or JWT token generated with keyvaluepair. For this, I am having a configuration property in my application to configure the access token with customer in properties file.
However, I see that oauth token generated has maximum expire period of 10 minutes and JWT token has maximum expire period of 60 minutes. In our use-case having the shorter expiry period is not feasible as user can't change the properties file regularly and restart my application.
I would like to know what is the way to have access token configured with long expiry period like 30/90 days etc or the way I can communicate with snowflake sql-api as per my use case.
Looking forward to hear from you.
Thanking you in advance.
I am using ReactJS as my front end, with a python flask API backend. I have one hole in my application as it stands - when my users close out of the browser, they are not logged out (unless the Cognito refresh token expires).
However, I have read that the refresh token should not expire in a short period of time, and on Cognito, it has a minimum of 60 minutes.
I also have tried and disliked the window onUnload since (A) it only works on the first window/tab you open for the application and (B) reloads also trigger the onUnload.
I am currently considering my option to be on my backend, ie marking the last time I heard from the user and logging them out after 15 minutes if I have not heard an API call for data. However, this seems to bring its own issues (ie not every user will be refreshing the page and looking for data in the 15 minute window, but I could solve that by the onActive (I have an idle timer) whenever the user makes an action, I ping my api to tell it to reset my timer). The other main issue is I don't know how to remotely log someone out of their session in cognito without havign access to their username and passcode which feels like a security issue.
Any and all help would be appreciated
I'm having this problem with my application where it will eventually (unsure of the timeframe, presumably 1 hour) stop updating live with firebase realtime database changes without logging out and back in. The security rules prevent unauthorized users from accessing data. The user will remain logged in and the authentication session persists, so I've been miserably confused as to why it eventually stops updating.
After a painful amount of internet scouring, I've come to find out that the token ID given on login lasts only 1 hour, at which point they are refreshed automatically using the refresh token. (For the record I am logging in with firebase.auth().signInWithEmailAndPassword).
Now, my question - Do I need to resubscribe to my database after the token ID is refreshed? More specifically, do I need to call firebase.database().ref().off() and then subsequently call firebase.database().ref().on() when a token refresh is detected? If not, can you possibly point me in the direction of what might be going wrong?
Edit: It may also be worth noting that if I change my security rules to allow unauthenticated reads, the user is still able to write to the database indefinitely without having to reauthenticate.
Firebase passes the new authentication token to the database automatically. As long as the user remains the same, you don't need to reattach the listeners.
The only moment you might have to reattach is if the user somehow becomes signed out. This may happen when the ID token can't be refreshed, for example because the account has been disabled, or the password has been changed. In that case the existing listeners will be canceled, which will be logged in the client, and the (optional) error callback for on will be invoked. At that point you'll need to reauthenticate and attach new listeners.
As far as web applications are concerned I know I can refresh/reissue the JWT by setting another parameter expireUntil in JWT with some duration and check it in each subsequent request and if it's not expire I can reissue the token or something along those lines. I don't know how efficient it is or if it's the right approach but that's the one I had in mind. Secondly I could also do it on the front-end by keep looking at the expiry time and resend the request to reissue it if it's about to expire. Anyway, the idea is to not let the user sign off if it's continuously making requests like in old session era.
Apart from that, the major question is how mobile application keeps the token alive forever. I don't think I was ever signed out of my Uber or foodpanda app even if I'm offline for days. How do they do it in case of mobile apps? Do they simply set the token expiry to some really large arbitrary value or some other way to authenticate and reissue the token because I know I can't do that with the approach I listed in above paragraph as if the user remains offline for a day my token will expire.
Any ideas how can I do that?
I have a GAE Python app that stores session data in a SessionStore object obtained via webapp2_extras.sessions.get_store(request=self.request).
I have seen sessions persist for days when I don't shut my browser down, but it occurs to me that as admin for the app, I have no way of clearing stale SessionStore objects in the server, that is, when a user's data that will never be accessed again after his or her browser is closed.
Is this a memory leak in my app running on GAE, or does GAE or WEBAPP2 have some strategy for recognizing a stale session and releasing that memory? I can't find an answer in the GAE/WEBAPP2 docs, so if you have a link that provides the answer, that would be appreciated.
You can configure the expiration time of a session store with webapp2_extras.sessions.default_config:
session_max_age: Default session expiration time in seconds.
Limits the duration of the contents of a cookie, even if a session
cookie exists. If None, the contents lasts as long as the cookie is
valid. Default is None.
Now if you want to handle the expiration yourself,
a strategy for recognizing a stale session might be to store a timestamp in the cookie or the session data and to check it on each page request. When you want to expire the session, call self.session.clear().