Open OrkhanAlikhanov opened 4 years ago
This is a valid issue. Thank you for raising it!
I'm moving this to the To-Do
list.
In the meantime, it is possible to simulate a "remember me" feature that will apply to all users by extending the timeouts values (for example by specifying a year as value): https://github.com/FoalTS/foal/blob/master/docs/authentication-and-access-control/session-tokens.md#session-expiration-timeouts
Hello @LoicPoullain,
I looked into the docs already, to think about an implementation to this feature. Yet, you can choose to set timouts using this guide in the docs: https://foalts.org/docs/authentication-and-access-control/session-tokens#session-expiration-timeouts
So for this feature, in the process of saving the user to the session:
ctx.session.setUser(user)
there needs to be another parameter, like a boolean "rememberMe". If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.
Or do you already have another Idea, how to implement such a feature?
Hi @scho-to 👋
If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.
This issue is more complex. One way to implement the remember me feature would be simply to increase bother idle and absolute timeouts to a value further in the future. But this involves some security concerns as authentication tokens should have a short lifetime.
There is a big study to be done here that involves studying the OWASP recommendations and the state of the art in other web frameworks.
Although the framework provides authenticating and fetching user from database, it seems to miss
remember me
functionality. Would be great if there was a built-in way to do this.Laravel provides a layer called
Auth
for authenticating user and dealing with its state even permission gates. Again, I am not forcing anybody to follow laravel in every step, but there are proven benefits on their abstraction. Checkout these: https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/ https://laravel.com/docs/5.8/authentication#remembering-users https://laravel.com/docs/4.2/upgrade#upgrade-4.1.26