dipth
commented
6 years ago Take a look at this wiki entry: https://github.com/smpallen99/coherence/wiki/Session-token-Ecto-Persistance
Closed fdietz closed 6 years ago
dipth
commented
6 years ago Take a look at this wiki entry: https://github.com/smpallen99/coherence/wiki/Session-token-Ecto-Persistance
fdietz
commented
6 years ago Thank @dipth for pointing to this article!
I was assuming that the 'remember me' functionality provides a mechanism that is sufficient for my needs: Making sure that a user doesn't have to login again after a server restart. Without it every server start requires a new login by the user.
Implementing a session token persistence as described seems one step further. Can you explain the difference/rational between the existing rememberable feature and the session token persistance?
Thanks you so much!
dipth
commented
6 years ago I have no affiliation with the repo so I would only be able to make assumptions :)
fdietz
commented
6 years ago Thank you anyways! Have a great day!
smpallen99
commented
6 years ago Basic session authentication was designed to use in memory persistence of the logged in user so a database access is not required on every page request. Restarting the application clears the in memory store (a GenServer).
The session token persistence can be used to fetch the session from the database if it is not found in the GenServer. This means that you will stay logged in after a server restart. However, there is more setup required, and therefore, not the default.
The remember me feature uses a persistent cookie on the client. This means you can close ur browser, reopen it, and still be logged in. However, there are security risks associated with this approach. To reduce this risk, a new multi-field token is created on each page request. This requires a database access for each page request is much more expensive than the first two options. Its a trade off of between functionality, security, and performance.
If all you want is login's to survive a server restart, then I suggest implementing database persistence.
Hi all!
First of all many thanks for coherence - it saved me a ton of time and I really like the approach of user management.
I'm using the Rememberable functionality and I can see in my logs that there's a db query to delete old tokens and update existing tokens on each request (on the rememberables db table). So, i assume everything is setup correctly.
The app is deployed on heroku which restarts the server on each deployment and additionally each night. Without the Rememberable functionality, all users would be logged out in these cases.
On some days I still need to login again several times and I have a feeling that this is somehow correlated to the number of deployments/restarts.
Has anyone else similar problems?
I'm currently working an internal phoenix app with coherence, so I cannot point you to the sourcecode, but I can send snippets of configuration or what's needed to help tracking this down.
Many thanks in advance!