search

riverrun / openmaize

No longer maintained - was an Authentication library for Plug-based applications in Elixir
Other
206 stars 30 forks source link

Remember me #41

Closed jaimeiniesta closed 8 years ago

jaimeiniesta commented 8 years ago

I want to implement the "remember me" option so, if a user logs in and marks a checkbox, a cookie will be written so the user does not need to log in again on new sessions for the following days.

Are there currently plans for this feature?

riverrun commented 8 years ago

Sounds like a good idea. I've started work on it already (making changes to the logout manager). I'd like to look at how other libraries handles this in more detail, but I should have something ready within a few days time.

jaimeiniesta commented 8 years ago

Thanks, that's great!

I guess you already know Devise, it has this feature:

https://github.com/plataformatec/devise

riverrun commented 8 years ago

In version 0.19, there's an option in Openmaize.Login plug to override the default length that a token is valid, which is normally two hours and can be configured as part of openmaize_jwt. There's an example implementation in the openmaize-phoenix example app.As it stands now, the example app doesn't allow 'remember me' for two factor authentication, but I am going to add an example of this in the docs for the Authorize module (generated by the mix generator). I've also added a warning to the Openmaize.Login docs about setting the length of the token validity to too long a value, and about only using it for low value resources. About the implementation, it uses a regular JSON Web Token, but it sets the token exp value to a lot further in the future. I've also added a max_age value to the cookie (if you're using a cookie for storage). If you have any questions / comments, please let me know.

jaimeiniesta commented 8 years ago

Thank you, just tried it and it works great :+1:

It felt a bit weird naming this option "Remember me", because if you don't check it, you'll still be remembered for the default of 2 hours, which might not be what you expected.

But, I just changed the message to "Remember me for a week" and problem solved. :)

riverrun commented 8 years ago

Actually, the normal behavior, to remember the user for two hours, is similar to how a normal session would work - the user will be remembered for 1, 2 or 3 hours :) It's just that we're using JSON Web Tokens and not cookies with a session store.