play-authenticate
play-authenticate copied to clipboard
Add "Remember Me" cookie functionality
An essential feature for many of us are "Remember Me" cookies. It would be good to have it included in Play! Authenticate.
There is a fork that implements this - I am currently in the process of reviewing how it can be included. In the meanwhile you can also set the session age to "30d" for example to get the same effect for all your users.
See here: https://github.com/chaschev/play-authenticate/commit/617384cb650ca89da53386796dea08be738a97ce (plus the commit before)
Yes. That solution did not play well with my set-up. So at the moment I'm using an ad hoc solution. My Remember Me functionality is implemented "outside" Play Authenticate and plugged in my providers' handleLogin.
Okay - did you need to fork Play! Authenticate for this? If no, it would be great to get a sample of your solution.
I did not fork Play! Authenticate. Here it is: https://gist.github.com/smola/4723534
Note that it probably does not play well with more providers (I have only a username/password provider enabled), and I'm probably missing some security issues.
I'm working on fixing my implementation (it tries to set PLAY_SESSION and REMEMBER_ME cookies in the same response), as well as getting everything working with more providers. I'll post it as soon as I get something decent.
great, thanks for the update!
This is a work in progress for integrating Remember Me: https://github.com/smola/play-authenticate/tree/cookie
It is based on this guidelines: http://jaspan.com/improved_persistent_login_cookie_best_practice
In short:
CookieAuthUser
has a series (random string, which is also its ID) and a token (also random string, changes after each use of the cookie). A user can have as many simultaneous CookieAuthUser
s linked to his account as devices/browsers where he has logged.
CookieAuthProvider
does not provide an implementation for the authenticate()
method. It provides the following methods:
-
public void remember(final Context ctx, final AuthUser authUser)
: called from any point where the cookie should be set or updated. Usually, after any successful authentication (to make this possible, I addedResolver.afterAuthSuccessHook()
method, which is one of the places where I callremember
) -
public void remember(final Context ctx)
: convenience method calling the former usingPlayAuthenticate.getUser()
-
public void forget(final Context ctx)
: called on logout. -
public CookieAuthUser tryAuthenticate(final Context ctx)
: this is called when the auto-login should happen (in my case, inMyDeadboltHandler.beforeAuthCheck()
and a custom@RememberMeAction
that I attach to every action where auto-login can happen (it would be nice to do this globally, implicit for any action, any idea?)
Actually, CookieAuthProvider
is abstract, so the user has to extend it and implement the following methods:
-
protected CheckResult check(final CookieAuthUser cookieAuthUser)
: checks the cookie against the database. Possible responses are SUCCESS (series and token are ok), INVALID_TOKEN (series is ok, token is not), MISSING_SERIES (series was not found at all), EXPIRED (series and token are ok, but they expired), ERROR (any other error that prevents a successful login). -
protected void save(final CookieAuthUser cookieAuthUser, final AuthUser loginUser)
: Saves the series/token for the given login user. This might be removed and replaced byUserService.link()
. -
protected void renew(final CookieAuthUser cookieAuthUser, final String newToken)
: Updates the token for a given series. I think this might be replaced withUserService.update()
. -
protected void deleteSeries(final CookieAuthUser cookieAuthUser)
: Delete any series matching this one. -
protected void potentialTheft(final CookieAuthUser cookieAuthUser)
: Executed when a potential cookie theft has happened. This can be used to log something, send an email, or display a notification.
I have this approach integrated in my app and seems to be working. But it's still not clear to me where should remember me be hooked for proper integration with play-authenticate.
Any updates on this or plans to integrate this into play-authenticate?
I am also interested in this feature and can offer some help if needed!
@jtammen There are currently no plans for me to provide this, however if a neat and clean pull request came along... :-)
Was this ever resolved? What is the best way to implement this functionality with Play 2.2.1 and play-authenticate 0.5?
@joscha - What's the easiest way to set the session age to 30d? I assume we would have to fork play-authenticate and then include it as a module in our play project? If so, can you point me to an example of how this is done? Thanks!
@joscha - Any hope we could get this done? I am sure it would be a massive help for the community.
+1. I think a remember me function is totally a must have for an authentication plugin.