Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remembering users? #525

Open
OrkhanAlikhanov opened this issue Aug 24, 2019 · 3 comments
Open

Remembering users? #525

OrkhanAlikhanov opened this issue Aug 24, 2019 · 3 comments

Comments

@OrkhanAlikhanov
Copy link

OrkhanAlikhanov commented Aug 24, 2019

Although the framework provides authenticating and fetching user from database, it seems to miss remember me functionality. Would be great if there was a built-in way to do this.

Laravel provides a layer called Auth for authenticating user and dealing with its state even permission gates. Again, I am not forcing anybody to follow laravel in every step, but there are proven benefits on their abstraction. Checkout these:
https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/
https://laravel.com/docs/5.8/authentication#remembering-users
https://laravel.com/docs/4.2/upgrade#upgrade-4.1.26

@LoicPoullain
Copy link
Member

This is a valid issue. Thank you for raising it!

I'm moving this to the To-Do list.

In the meantime, it is possible to simulate a "remember me" feature that will apply to all users by extending the timeouts values (for example by specifying a year as value): https://github.com/FoalTS/foal/blob/master/docs/authentication-and-access-control/session-tokens.md#session-expiration-timeouts

@scho-to
Copy link
Contributor

scho-to commented Aug 16, 2022

Hello @LoicPoullain,

I looked into the docs already, to think about an implementation to this feature. Yet, you can choose to set timouts using this guide in the docs: https://foalts.org/docs/authentication-and-access-control/session-tokens#session-expiration-timeouts

So for this feature, in the process of saving the user to the session:
ctx.session.setUser(user)
there needs to be another parameter, like a boolean "rememberMe". If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.

Or do you already have another Idea, how to implement such a feature?

@LoicPoullain
Copy link
Member

LoicPoullain commented Aug 25, 2022

Hi @scho-to 👋

If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.

This issue is more complex. One way to implement the remember me feature would be simply to increase bother idle and absolute timeouts to a value further in the future. But this involves some security concerns as authentication tokens should have a short lifetime.

There is a big study to be done here that involves studying the OWASP recommendations and the state of the art in other web frameworks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: To Do
Development

No branches or pull requests

3 participants