I want to implement a typical "Remember me" functionality on my site which requires a way to create cookies that expire in some far away future. Is there a way to create those in Phoenix Framework?
Just give the cookie a really high :max_age value:
http://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4
Related
My question may be answered here, Are sessions needed for python-social-auth, but I feel as if I'd be making assumptions and would like to be positive regarding my understanding (NOTE: I'm not using django, I'm using mongo express react node, I'm guessing django might come with sessions built in or something). I followed this guide https://medium.com/hyphe/token-based-authentication-in-node-6e8731bfd7f2 to add token authentication and user login to my CRUD web app, works great, users are authenticated properly, routes are protected. However, everywhere I read about the fundamentals of session and session management states that "every web application in the world that maintains user data has to deal with sessions" (source: https://nodewebapps.com/2017/06/18/how-do-nodejs-sessions-work/). Currently, my react client uses setInterval to regularly check if the access token will expire soon enough to receive a new one via the refresh token. Is implementing sessions required for my app? If so, what is it that they add that I am missing?
It depends on the type of application.
If the resources being accessed using a token are not user specific, then sessions are not useful.
However, in a scenario where the resources are unique for different users (e.g. one has to sign in, etc), then it's wise to implement both sessions and access tokens.
Remember that tokens can also be saved within a session. Checkout 'express-session' to implement sessions in expressjs.
I am developing a web system in php using the laravel framework, I arrived at the part of authentication of users, where it is not allowed the type of user x access to page y. What is the best way to do this with laravel? I thought about creating a session and saving the id of the user, so every time he accesses a certain controller I check if he has access to the id or not. so I had some doubts.
Is this a good way to perform this authentication?
Is this really safe?
is there any way for the client to change my session?
What would be a better method for authenticating user access?
Laravel provides a very good authentication system out of the box. Even though Hacking is inevitable it provides very good protection and since Laravel is pretty popular framework you don't have to worry about the security part. if there is any security bug, patches will be available almost immediately.
And your second concern can a client can change the session ? the answer is NO, if you code it properly. session resides in the server unlike cookies, so there is no direct way for a user to change the session. if you follow good coding practices you are good to go.
And how do you limit userA from accessing pageB. This is a pretty common feature needed in almost all the applications. As of now Laravel does not provide an out of the box solution for this. but this is pretty simple, you can add a role column to the users table, and check whether user have appropriate permission in each page. Laravel keeps the user object in the session, and it is avilable via the auth() helper or Auth Facade. if you want a little sophisticated solution there is a package out there [entrust][1]. it seems a good choice.
You may want to read about
Authorization
Csrf Protection
Authentication
I hope I have addressed all your concerns
Laravel provides a simple way to authorize action thats purpose built for what you need:
https://laravel.com/docs/5.5/authorization
I have a website where the user can check a checkbox: Remember me. By checking this checkbox it will ensure that the session cookie will have an expire time of 2 weeks.
If the same user next day goes to the site he must automatically be logged in.
I can do this by putting in the constructor of the main controller an isset(session->userdata['username']), and if its set then that user will be logged in.
But my question is, will this be secure? Can't another person just make a custom cookie with a username(which he knows) and it will automatically logs him in?
I hope to get some input from you guys:) thank you.
There is no quick and easy answer. Take a look at these links which covers a lot regarding login best practices (including "remember me" option):
What is the best way to implement "remember me" for a website?
http://jaspan.com/improved_persistent_login_cookie_best_practice
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
The definitive guide to form-based website authentication
We developed a MVC 4 Web application with form cookie authorization.
Is a good approach use session variables and authentication cookie together?
Thank you.
I would know if is possible some synchronization between cookie and session timeout. Based in my research it's problematic due to its different lifecycle.
.NET 4.5 has incorporated the Windows Identity Foundation (WIF) as a core part of the framework and has made claims-based security a integral part of it. With claims-based security it easy to add custom information to the identity of the user as a new claim. Dominick Baier has a great training course on this in PluralSight called Introduction to Identity and Access Control in .NET 4.5. You can sign up for a free trial to check this course out. You can also get good information on security in .NET on Dominick Baier's Blog.
Ok, this is my answer. After some research and code testing, the best solution it's always read information from auth cookie.
Use of Session and cookie auth at same time it's hard to control due to its differents lifecycle.
If we have, for example, a valid cookie auth and a timed out session, in the next request we will have a renewed session without any user info.
I'm creating josi, a web framework for node.js. And I'd like to add session storage. What would be the best way to implement this? I'm assuming it probably has to be cookie based, but I'm interested in knowing if any other frameworks have a different approach.
I had a look at josi a few days ago. Very nice work!
Other than cookie based, you could use infamous session tokens (e.g. JSESSIONID, PHPSESSID and ASPSESSIONID) and put them in hidden forms or the URL query string.
Cookies are really the best option. They work perfectly for the job.
You always need to reference the server session somehow, cookies are the de-facto standard for this sort of stuff.
How the session is stored on the server side is usually up to you... I really like PHP's approach with session_start(); which does all the session storage and cookies setting for you.
PHP for example stores the session data in a file, making it cross-platform (all platform's have disk storage APIs). Other session mechanisms use a relational-database like MySQL, but that's not really cross-platform unless you want to target those type of users.