I built my APIs with laravel 5, both my web application and mobile app use the same APIs. On the web app there is a default expiration of 60 minutes after which user will have to log back in again. However on mobile i do not want that, no automatic session expiration for mobile, the user can only be logged out after they have clicked the logout button on the app.
I use JWT with satellizer for my authentication, i would like to know how to achieve this.
I have the same setup as you have on my web application and mobile app.
I simply store the username/email and password on the phone (native) and everytime the user opens the app it does a call to receive a new JWT.
When the user is loggin out on the phone, the password is removed.
I think this is the simplest solution, and for security you can encrypt the password in the storage.
I believe the current practice based on this answer is that you prolong or refresh the token before it expires. I do not believe you can't not have an expiration.
Related
Has anyone of you seen any example or documents how to do AD Authentication in React.js Application that does not use any Login buttons when User is all ready Authenticated?
I have look many Authentication samples like Microsoft's https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-react has but everyone of them has a Sign-in and Sing-out Buttons not automatic Authentication and redirect if User has all ready logged in and Authenticated. I mean something like SSO style AD Authentication that is usually wanted to Customer's Web Applications. I use MSAL packages.
Any help valued.
Thanks
You can use the localStorage or cookies to store the localStorage or cookies to store the token, and when you reload the application then you can check if the token is valid and available in localStorage or Cookies, if it is then redirect the user to the home page otherwise redirect the user to the login page.
In the MSAL browser, acquireTokenSilent get's refresh token on every call to the token end point. The very first refresh token has a duration of 1 hour. Subsequent refresh tokens all have reduced (the remaining) expiry time.
I am working on a subscription based platform, where user buys a subscription plan and then he/she can get access to the content.
Tech Stack: React in Frontend and Django REST Framework in Backend
I want to find a way to prevent user login from multiple devices or multiple tabs from a browser. There should be one session per user.
I have researched about it but could not find anything suitable. Some are using session authentication scheme to store the user session and adding middlewares and prevent multiple logins.
But i am using JWT token Authentication scheme. I am storing JWT token in front end.
How should i implement in such case which not having session authentication? Any leads?
i've a desktop site based on wordpress.
Mobile version is on a subdomain and is developed using angularJs (ionic).
I'm trying to figure out what the best solution to authenticate mobile version users using wordpress wp_users credentials.
Thanks in advance for any advice.
1 - Basic Auth: The easiest, This one is not recommended for production since your users will be sending their credentials with each request, only use it over https.
2 - OAuth: This one is secured but might not be interesting because users will be redirected to WP to login then redirected back after login success, here is a decent tutorial for it.
3 - JWT Auth: This one is interesting because it only sends user credentials once, when login succeed you will get a jwt token which will be used instead of user's password in each request.
For your app purpose I recommend implementing your own authentication method, make a plugin for that, it should generate a secret token and save it in user session, it should also block any request that doesn't include that secret token.
my ignorance is shining brightly on this one. I have a Web App that uses the MEAN stack (Mongo, Express, Angularjs, Nodejs) and some of the functionality is lackluster on mobile devices. So I'm developing a mobile version of the app on the Appgyver Supersonic platform. The Appgyver framework is based on an Angularjs front-end.
So I was hoping to just use the same Express/Nodejs server that I have running for the Web App and make queries/requests from the mobile app. Authentication is my current challenge. I assumed that I could send the username and password via a POST request and sign in and create a new session. I can sign in but I can't get access to the session cookie connect.sid so my next request has no session data with it.
TLDR; I have an Angular app that is on a different server than my Express/Nodejs back-end. I wish to authenticate the Angular app but can't figure out how to access the connect.sid cookie.
Since this never got any traction and I found what I think is a 'workable' solution I figure I'll answer my own question. If you see that I'm doing something really stupid here, please let me know.
When I login my client to the server, I respond with a session token. I store that same token on the User profile in Mongoose. I store the token on the mobile device using localStorage.
Whenever I send a request to the server I send the token with it, and have the Server check to see if the token matches the User token - if it does, I grab the User Profile data and assign it to req.user; which then seems to make the back-end operate properly.
Any major security concerns?
We have WebAPI2, Thinktecture IdentityServer and AngularJS applications hosted on IIS. Our plan is to set up the webapi2 application stateless. Here is the flow:
Users open our AngularJS application. If not logged in, they get redirected to the login page.
Users enter their credentials, and click login. The credentials get sent to the STS server. If they get authenticated, a JWT gets returned.
AngularJS saves the JWT in the localstorage
To access resources on the WebAPI, angularjs application attaches the JWT on every request.
Before attaching the JWT, it checks the JWT's expiration date. If it hasn't expired, request sent to the API; else, redirected to the login page.
We want the session to be be valid only for 30 minutes. As and when the user does something on the application, the token should slide the expiration datetime. The easiest solution could be enabling sessions for the WebAPI application, but we don't want that. Also, we don't want to get a token before every WebAPI call.
Could we implement sliding sessions/tokens in this scenario? If so, how?