Auto login via cookie
yoyosaygood opened this issue ยท 16 comments
how to record the login status.If I'm already logged in, I'll enter automatically next time
I will look at this ASAP.
Me too I would love to have this capability
I've started looking into this.
FYI: This will only work for the official database authentication adapter. So no support on PAM, at least for now. Mostly because this requires implementing a custom mechanism.
Any adapter that uses a third party authorization service (like Auth0) can already do this :)
FYI: This will only work for the official database authentication adapter.
Is that this one?
https://github.com/os-js/osjs-database-auth
re. "Maybe it could be an option?"
I did a quick search, and login systems with cookies for user/password state persistence
use some combination of encryption/hash/salt on the password in the cookie... maybe,
for now, stick to the official database authentication adapter implementation and defer
universality for down the road? Best not implement stuff you're not comfortable with.
The plan is to generate a remember token that's a unique hash when user logs in and store that in the database and then the token+username in the cookie with some lifetime. When the system starts up it will try to detect this cookie and do a login with the information stored there. If the token has lapsed you'll just get the standard login form with a message to try to log in again.
Also, this token is destroyed on a regular logout.
Hey y'all. I just released @osjs/client@3.6.0 which includes support for insecure cookie auto-login. I know I said I was not comfortable with this, but I've added a configuration option that will make it possible to switch to a more secure mode in the future (which will then be the default).
So if you update you can now add the following to your config:
{
auth: {
cookie: {
enabled: true,
epxires: 7 // days -- this is the default value
}
}
}This insecure method will work on all authentication adapters since it stores the actual login and not some token, FYI.
What about a hash of an authentication token that's IP-locked?
What about a hash of an authentication token that's IP-locked?
So it couldn't be hacked as easily.
@hello-smile6 That might not be desirable because because if the user changes their connection/location they would not be automatically logged in anymore.
But I suppose it could be added as an option when it comes to the "secure" implementation of this mechanism. It's not possible in the "insecure" method because it's entirely client-side. Not 100% sure though, because if IPs is of concern then there's ways to whitelist this in the front-facing reverse proxy (like nginx), or as middleware on the node server.
This is great Anders - I configured it and it's running perfectly :)
PS - I'm guessing there's a typo below and 'epxires' should be 'expires'?
M.
Hey y'all. I just released
@osjs/client@3.6.0which includes support for insecure cookie auto-login...
...
auth: {
cookie: {
enabled: true,
epxires: 7 // days -- this is the default value
}
@mikeblackstock Glad to hear it! And yeah, that's indeed a typo ๐
Closing this issue. This will be superseeded by issues in the associated repos.