play-authenticate icon indicating copy to clipboard operation
play-authenticate copied to clipboard

Published 20 hours ago verified publisher icon joscha

Add "Remember Me" cookie functionality

Open smola opened this issue 11 years ago • 13 comments

An essential feature for many of us are "Remember Me" cookies. It would be good to have it included in Play! Authenticate.

smola avatar Dec 27 '12 12:12 smola

There is a fork that implements this - I am currently in the process of reviewing how it can be included. In the meanwhile you can also set the session age to "30d" for example to get the same effect for all your users.

joscha avatar Dec 27 '12 12:12 joscha

See here: https://github.com/chaschev/play-authenticate/commit/617384cb650ca89da53386796dea08be738a97ce (plus the commit before)

joscha avatar Feb 06 '13 00:02 joscha

Yes. That solution did not play well with my set-up. So at the moment I'm using an ad hoc solution. My Remember Me functionality is implemented "outside" Play Authenticate and plugged in my providers' handleLogin.

smola avatar Feb 06 '13 09:02 smola

Okay - did you need to fork Play! Authenticate for this? If no, it would be great to get a sample of your solution.

joscha avatar Feb 06 '13 15:02 joscha

I did not fork Play! Authenticate. Here it is: https://gist.github.com/smola/4723534

Note that it probably does not play well with more providers (I have only a username/password provider enabled), and I'm probably missing some security issues.

smola avatar Feb 06 '13 16:02 smola

I'm working on fixing my implementation (it tries to set PLAY_SESSION and REMEMBER_ME cookies in the same response), as well as getting everything working with more providers. I'll post it as soon as I get something decent.

smola avatar Feb 14 '13 12:02 smola

great, thanks for the update!

joscha avatar Feb 14 '13 12:02 joscha

This is a work in progress for integrating Remember Me: https://github.com/smola/play-authenticate/tree/cookie

It is based on this guidelines: http://jaspan.com/improved_persistent_login_cookie_best_practice

In short:

CookieAuthUser has a series (random string, which is also its ID) and a token (also random string, changes after each use of the cookie). A user can have as many simultaneous CookieAuthUsers linked to his account as devices/browsers where he has logged.

CookieAuthProvider does not provide an implementation for the authenticate() method. It provides the following methods:

  • public void remember(final Context ctx, final AuthUser authUser): called from any point where the cookie should be set or updated. Usually, after any successful authentication (to make this possible, I added Resolver.afterAuthSuccessHook() method, which is one of the places where I call remember)
  • public void remember(final Context ctx): convenience method calling the former using PlayAuthenticate.getUser()
  • public void forget(final Context ctx): called on logout.
  • public CookieAuthUser tryAuthenticate(final Context ctx): this is called when the auto-login should happen (in my case, in MyDeadboltHandler.beforeAuthCheck() and a custom @RememberMeAction that I attach to every action where auto-login can happen (it would be nice to do this globally, implicit for any action, any idea?)

Actually, CookieAuthProvider is abstract, so the user has to extend it and implement the following methods:

  • protected CheckResult check(final CookieAuthUser cookieAuthUser): checks the cookie against the database. Possible responses are SUCCESS (series and token are ok), INVALID_TOKEN (series is ok, token is not), MISSING_SERIES (series was not found at all), EXPIRED (series and token are ok, but they expired), ERROR (any other error that prevents a successful login).
  • protected void save(final CookieAuthUser cookieAuthUser, final AuthUser loginUser): Saves the series/token for the given login user. This might be removed and replaced by UserService.link().
  • protected void renew(final CookieAuthUser cookieAuthUser, final String newToken): Updates the token for a given series. I think this might be replaced with UserService.update().
  • protected void deleteSeries(final CookieAuthUser cookieAuthUser): Delete any series matching this one.
  • protected void potentialTheft(final CookieAuthUser cookieAuthUser): Executed when a potential cookie theft has happened. This can be used to log something, send an email, or display a notification.

I have this approach integrated in my app and seems to be working. But it's still not clear to me where should remember me be hooked for proper integration with play-authenticate.

smola avatar Mar 13 '13 10:03 smola

Any updates on this or plans to integrate this into play-authenticate?

I am also interested in this feature and can offer some help if needed!

jtammen avatar Aug 23 '13 08:08 jtammen

@jtammen There are currently no plans for me to provide this, however if a neat and clean pull request came along... :-)

joscha avatar Aug 23 '13 08:08 joscha

Was this ever resolved? What is the best way to implement this functionality with Play 2.2.1 and play-authenticate 0.5?

@joscha - What's the easiest way to set the session age to 30d? I assume we would have to fork play-authenticate and then include it as a module in our play project? If so, can you point me to an example of how this is done? Thanks!

pushkar981 avatar Nov 03 '13 09:11 pushkar981

@joscha - Any hope we could get this done? I am sure it would be a massive help for the community.

pushkar981 avatar Mar 20 '14 23:03 pushkar981

+1. I think a remember me function is totally a must have for an authentication plugin.

umbreak avatar Jul 23 '14 09:07 umbreak