Forever sessions

From DreamFactory
Jump to: navigation, search
DreamFactoryTutorialsForever sessions
(created page, initial structure, completed Tutorial and Background)
 
(completed configuration and usage)
Line 5: Line 5:
 
## Background
 
## Background
  
*This tutorial builds on the concepts covered in [[DreamFactory/Tutorials/Access_Using_JWT_and_API_Key|Access using JWT and API Key]] and [[DreamFactory/Tutorials/Refreshing_a_JWT|Refreshing a JWT]].*
+
*This tutorial builds on the concepts covered in [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_User_.28non-admin.29|Logging in]], [[DreamFactory/Tutorials/Access_Using_JWT_and_API_Key|Access using JWT and API Key]], and [[DreamFactory/Tutorials/Refreshing_a_JWT|Refreshing a JWT]].*
  
You may configure user sessions to never expire. This means that a session may be refreshed forever without providing the user's credentials again. The initial <code>session_token</code> will be valid until the token TTL (time-to-live) expires, after which a new <code>session_token</code> value may be obtained by simply refreshing the original session. This may be repeated for the same session indefinitely, or until an explicit logout (session deletion).
+
You may configure user sessions to never expire if a client sets <code>"remember_me": true</code> at login. This means that a session may be refreshed forever without providing the user's credentials again. The initial <code>session_token</code> will be valid until the token TTL (time-to-live) expires, after which a new <code>session_token</code> value may be obtained by simply refreshing the original session. This may be repeated for the same session indefinitely, or until an explicit logout (session deletion).
  
 
## Configuration
 
## Configuration
  
To set up forever sessions, we will configure <code>DF_ALLOW_FOREVER_SESSIONS</code> and <code>DF_JWT_TTL</code> in the <code>.env</code> file. The <code>.env</code> file for a DreamFactory instance is located at the installation's root directory. Note that <code>DF_JWT_REFRESH_TTL</code> will be ignored once <code>DF_ALLOW_FOREVER_SESSIONS</code> is set to true.
+
To set up forever sessions, we will configure <code>DF_ALLOW_FOREVER_SESSIONS</code> and <code>DF_JWT_TTL</code> in the <code>.env</code> file. Note that <code>DF_JWT_REFRESH_TTL</code> will be ignored once <code>DF_ALLOW_FOREVER_SESSIONS</code> is set to <code>true</code>.
 +
 
 +
The <code>.env</code> file for a DreamFactory instance is located at the installation's root directory. Refer to the example <code>.env-dist</code> file [https://github.com/dreamfactorysoftware/dreamfactory/blob/master/.env-dist provided in the GitHub repository here]. <br /> <br />
  
 
'''1. Set <code>DF_ALLOW_FOREVER_SESSIONS</code>'''
 
'''1. Set <code>DF_ALLOW_FOREVER_SESSIONS</code>'''
 +
: <br />
 +
:
 +
: In <code>.env</code>, add or un-comment this line and set the value to <code>true</code>:
 +
:
 +
: <pre>DF_ALLOW_FOREVER_SESSIONS=true</pre>
 +
:: <br />
  
 
'''2. Set <code>DF_JWT_TTL</code>'''
 
'''2. Set <code>DF_JWT_TTL</code>'''
 +
: <br />
 +
:
 +
: In <code>.env</code>, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new <code>session_token</code> after this many minutes.
 +
:
 +
: <pre>DF_JWT_TTL=720</pre>
 +
:
 +
: The above setting will require a session refresh every 12 hours (720 minutes).
 +
:
  
## Example: using the admin app GUI
+
## Usage
 
+
'''1. Create a role with the desired access.'''
+
:* Navigate to 'Roles' > 'Create', enter 'Name' and 'Description' values, and check the box labeled 'Active'.
+
 
+
## Example: calling the API directly
+
 
+
The below API calls will be made from cURL for the sake of raw simplicity.
+
 
+
'''1. Instantiate an admin session.'''
+
:* Since the below changes are made to system resources, an Admin user session must be used to make these API calls. (Refer to the [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_Admin|Logging In]] and [[DreamFactory/Tutorials/Access_Using_JWT|Access Using JWT]] tutorials for details.)
+
 
+
## Testing
+
To test from the REST API client or app of your choice, simply make an unauthenticated API call to the resource(s) you've made available using the API key you've created.
+
 
+
### Using cURL
+
To list the contents of the <code>images</code> folder from cURL:
+
  
### Using a REST client
+
* Users instantiate sessions as documented in the [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_User_.28non-admin.29|Logging in]] tutorial.
From a REST client such as the POSTman extension for Google Chrome, to list the contents of the <code>images</code> folder:
+
* A forever session is instantiated if the client sets <code>"remember_me": true</code> at login, as documented in the [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_User_.28non-admin.29|Logging in]] tutorial.
 +
* Sessions may be refreshed to receive a new <code>session_token</code> as documented in the [[DreamFactory/Tutorials/Refreshing_a_JWT|Refreshing a JWT]] tutorial at any time, including after <code>DF_JWT_TTL</code> expires.
 +
* If a session is deleted as documented in the [[DreamFactory/Tutorials/Logging_out|Logging out]] tutorial, it may no longer be refreshed. Logging in again with valid credentials will be required.

Revision as of 20:58, 9 November 2015

    1. Tutorial

Setting up user session tokens so that the session may be refreshed indefinitely without providing credentials again. This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out.

    1. Background

You may configure user sessions to never expire if a client sets "remember_me": true at login. This means that a session may be refreshed forever without providing the user's credentials again. The initial session_token will be valid until the token TTL (time-to-live) expires, after which a new session_token value may be obtained by simply refreshing the original session. This may be repeated for the same session indefinitely, or until an explicit logout (session deletion).

    1. Configuration

To set up forever sessions, we will configure DF_ALLOW_FOREVER_SESSIONS and DF_JWT_TTL in the .env file. Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true.

The .env file for a DreamFactory instance is located at the installation's root directory. Refer to the example .env-dist file provided in the GitHub repository here.

1. Set DF_ALLOW_FOREVER_SESSIONS


In .env, add or un-comment this line and set the value to true:
DF_ALLOW_FOREVER_SESSIONS=true

2. Set DF_JWT_TTL


In .env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new session_token after this many minutes.
DF_JWT_TTL=720
The above setting will require a session refresh every 12 hours (720 minutes).
    1. Usage
  • Users instantiate sessions as documented in the Logging in tutorial.
  • A forever session is instantiated if the client sets "remember_me": true at login, as documented in the Logging in tutorial.
  • Sessions may be refreshed to receive a new session_token as documented in the Refreshing a JWT tutorial at any time, including after DF_JWT_TTL expires.
  • If a session is deleted as documented in the Logging out tutorial, it may no longer be refreshed. Logging in again with valid credentials will be required.
Retrieved from "https://wiki.dreamfactory.com/index.php?title=DreamFactory/Tutorials/Forever_sessions&oldid=30997"