Cookies in Google Scripts Web App - session

Is it possible to keep track of cookies (or any kind of session variables) in a GAS Web App? The script is running as myself, and anyone (even anonymous) can access the site. I need to be able to keep track of login information, so I should be able to see if the user is logged in between requests.
Note: The user is not required to have a Gmail account.

I didn't find the GAS solution for this even after almost 3 years since this question was asked.
Looks like the only solution is to use javascript cookie handling (document.cookie) in each template file.

Related

Does token auth make sessions unnecessary?

My question may be answered here, Are sessions needed for python-social-auth, but I feel as if I'd be making assumptions and would like to be positive regarding my understanding (NOTE: I'm not using django, I'm using mongo express react node, I'm guessing django might come with sessions built in or something). I followed this guide https://medium.com/hyphe/token-based-authentication-in-node-6e8731bfd7f2 to add token authentication and user login to my CRUD web app, works great, users are authenticated properly, routes are protected. However, everywhere I read about the fundamentals of session and session management states that "every web application in the world that maintains user data has to deal with sessions" (source: https://nodewebapps.com/2017/06/18/how-do-nodejs-sessions-work/). Currently, my react client uses setInterval to regularly check if the access token will expire soon enough to receive a new one via the refresh token. Is implementing sessions required for my app? If so, what is it that they add that I am missing?
It depends on the type of application.
If the resources being accessed using a token are not user specific, then sessions are not useful.
However, in a scenario where the resources are unique for different users (e.g. one has to sign in, etc), then it's wise to implement both sessions and access tokens.
Remember that tokens can also be saved within a session. Checkout 'express-session' to implement sessions in expressjs.

Clarifications of use of Session in Parse Dashboard

I recently noticed the addition of a "Session" object in Parse dashboard. Now, from what I understand, a session uniquely identifies a user to the server. So why would we need such a Session? For the session token? We already have a currentInstallation... so I don't really see the point. Can someone explain and provide a scenario where I would use the "Session" object. Right now they just annoy me by their presence because they take up potential space on the Parse server and I would like to go delete them all but want to make sure that isn't stupid.
The sessions are used by parse to deal with the users (is the user logged?, on which devices?, etc.), and are available as a class as you may want to manipulate them. By deleting the sessions you would automatically logout all your users, so it's a pretty bad idea.
You don't have to use or touch anything about this class, but here are few examples of why it can be useful:
[...] If a user contacts you about his or her account being compromised in your app, you can use the Data Browser, REST API, or Cloud Code to forcefully revoke user sessions using the Master Key. These new APIs also allow you build a “session manager” UI screen where your app’s users can see a list of all devices they’ve logged in with, and optionally log out of other devices. [...]
You can read more about the Sessions on their blog post.

I want to use my app for global network

We have created an app on Yammer which is currently private.
We want to make it available and accessible to networks outside us. Please suggest if there is a way to get it authenticated by outside network or do we have to go by the process of submitting the app to Yammer support for global access.
If that is the case, please help us know how much time does it require to get reviewed and approved as it is almost a week and we have not heard back from Yammer support.
You need to submit the app to Yammer's App Directory for approval. Depending on your app you may also be able to allow users to configure their own Client ID, but this is really only a usable approach for developers or system admins. End users wouldn't understand how to do that.

Reconciling browser-side and server-side authentication

apologies if this has been asked but I'm trying to figure out this kind of stuff for the first time -
I'm developing an app where I want to divide the authenticated content from the web-facing side, completely; therefore I am not using a simple backbone.js-style "keep all views in one file" (unless I'm wrong about this, please illuminate!) but actually divided server files (using PHP).
Current flow: the user logs in client-side (using the Parse.com Todo app as an example) and, if successful, I store cookie (via POST/AJAX) with user email and the returned sessionToken on client side. I then thought that when user next visits site, the server can read cookie and shuffle the user to the private/locked portion of site, which, again, is a different set of PHP files.
Here I get lost -- how do I then tell Parse.com that the user is logged in, if I don't have her username/password (only email), and start grabbing data from the classes? Is there a way to do this that I'm not recognizing? I guess I can load different .JS files, read if a session exists, and JS-redirect to a different url, but that seems to me to be a weird way of going about it.
Is there a general philosophy/methodology to my questions that I should read up on, along concrete advice dealing with Parse.com questions?
I believe the Parse User session management functions should be good for you.
Check out https://parse.com/docs/cloud_code_guide#webapp-users
There is an example at the bottom of their announcement blog post here: http://blog.parse.com/2013/09/04/new-cloud-modules-for-images-and-users/
It gives you user session management with minimal effort.

Using Cookies versus Sessions for login

I'm building a basic login script from a book that uses sessions to manage wether a user is logged in or not.
This is great, but when I close my browser, and then reopen it, I have to log back in.
Whereas, with Facebook for example, I remained logged in, even if I have closed my browser. I'm guessing this is done using cookies. Is it safe to use cookies? How long should this cookie last? Sometimes websites explicitly say, "please remember to log out at the end of your visit". Why would this be necessary?
Currently my script is kinda like this:
session_start();
if (is_set($_POST["login_button_pressed"])){
if (form_verified_successfully()){
$user_details = get_user_details_from_database();
$_SESSION['username'] = $user_details['username'];
}
}
Would it be easy to modify the above to work with cookies? And if so, how?
Thanks
A cookie is a small text file that is saved to a temporary directory on the user's harddrive. This cookie can be accessed by the browser that placed it there. It can hold data such as previously visited URLs (posts the user read vs hasn't read), the user's credentials or even the contents of the users cart or a post they didn't finish writing in a forum. You will choose how long the cookie is valid for that system, most common that I have seen are 24 hours, 7 days, 14 days and 30 days.
A session is attached to the actual piece of software interacting with the web server, ie, a browser, command prompt or other application. Once the browser is closed or the application is shutdown the session data will be lost.
Reasons you might want to have the user login again, the data you have granted access to is very private information that another user who grabs the computer 15 minutes later shouldn't have access to (banking, account settings) or the data you have given to the user is time sensitive and you want to force the user to sign in again and be given fresh data when they come back.
Most social networking sites like Facebook, LinkedIn, Google+, Twitter and several other forums and blogs will give you a cookie to let you stay logged in for up to a month or longer so you can easily come back and look through the site and post to your profile. However, if you go to change your account settings they will prompt you to login again and will only give you access to those pieces of the site during your current session. This is for security reasons.
I hope this helps out. For a quick reference, run a Google search on sessions vs cookies. You should be able to find a relevant article to whatever language/platform you are using. There are great articles out there for PHP, Java, .net and others that discuss advantages, disadvantages and best practices.
Changing to a cookie:
As for your last question, it shouldn't be very hard to change to using a cookie. Most likely it will be referenced via _COOKIE instead of _SESSION, but you will have to tell the cookie what information to hold and how long to stay active. A quick Google search for setting cookie [language] should provide plenty of tutorials. Replace [language] with either PHP, Java, Spring, .net, etc.

Resources