Setting up user session tokens so that the session may be refreshed indefinitely without providing credentials again. This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out.
- This tutorial builds on the concepts covered in Logging in, Access using JWT and API Key, and Refreshing a JWT.*
You may configure user sessions to never expire if a client sets
"remember_me": true at login. This means that a session may be refreshed forever without providing the user's credentials again. The initial
session_token will be valid until the token TTL (time-to-live) expires, after which a new
session_token value may be obtained by simply refreshing the original session. This may be repeated for the same session indefinitely, or until an explicit logout (session deletion).
To set up forever sessions, we will configure
DF_JWT_TTL in the
.env file. Note that
DF_JWT_REFRESH_TTL will be ignored once
DF_ALLOW_FOREVER_SESSIONS is set to
.env file for a DreamFactory instance is located at the installation's root directory. Refer to the example
.env-dist file provided in the GitHub repository here.
.env, add or un-comment this line and set the value to
.env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new
session_tokenafter this many minutes.
- The above setting will require a session refresh every 12 hours (720 minutes).
- Users instantiate sessions as documented in the Logging in tutorial.
- A forever session is instantiated if the client sets
"remember_me": trueat login, as documented in the Logging in tutorial.
- Sessions may be refreshed to receive a new
session_tokenas documented in the Refreshing a JWT tutorial at any time, including after
- If a session is deleted as documented in the Logging out tutorial, it may no longer be refreshed. Logging in again with valid credentials will be required.