foal icon indicating copy to clipboard operation
foal copied to clipboard

Published 20 hours ago • verified publisher icon FoalTS

Remembering users?

Open OrkhanAlikhanov opened this issue 4 years ago • 3 comments

Although the framework provides authenticating and fetching user from database, it seems to miss remember me functionality. Would be great if there was a built-in way to do this.

Laravel provides a layer called Auth for authenticating user and dealing with its state even permission gates. Again, I am not forcing anybody to follow laravel in every step, but there are proven benefits on their abstraction. Checkout these: https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/ https://laravel.com/docs/5.8/authentication#remembering-users https://laravel.com/docs/4.2/upgrade#upgrade-4.1.26

OrkhanAlikhanov avatar Aug 24 '19 19:08 OrkhanAlikhanov

This is a valid issue. Thank you for raising it!

I'm moving this to the To-Do list.

In the meantime, it is possible to simulate a "remember me" feature that will apply to all users by extending the timeouts values (for example by specifying a year as value): https://github.com/FoalTS/foal/blob/master/docs/authentication-and-access-control/session-tokens.md#session-expiration-timeouts

LoicPoullain avatar Sep 02 '19 07:09 LoicPoullain

Hello @LoicPoullain,

I looked into the docs already, to think about an implementation to this feature. Yet, you can choose to set timouts using this guide in the docs: https://foalts.org/docs/authentication-and-access-control/session-tokens#session-expiration-timeouts

So for this feature, in the process of saving the user to the session: ctx.session.setUser(user) there needs to be another parameter, like a boolean "rememberMe". If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.

Or do you already have another Idea, how to implement such a feature?

scho-to avatar Aug 16 '22 06:08 scho-to

Hi @scho-to 👋

If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.

This issue is more complex. One way to implement the remember me feature would be simply to increase bother idle and absolute timeouts to a value further in the future. But this involves some security concerns as authentication tokens should have a short lifetime.

There is a big study to be done here that involves studying the OWASP recommendations and the state of the art in other web frameworks.

LoicPoullain avatar Aug 25 '22 06:08 LoicPoullain