Forever sessions

From DreamFactory
Jump to: navigation, search
DreamFactoryTutorialsForever sessions
Line 1: Line 1:
Setting up user session tokens so that the session may be refreshed indefinitely without providing credentials again. This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out.
+
This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the <code>DF_JWT_REFRESH_TTL</code> timer expiring. By enabling forever sessions you can force the system to ignore <code>DF_JWT_REFRESH_TTL</code> and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after <code>DF_JWT_TTL</code> and require refreshing, but it can be refreshed forever.
 
+
== Background ==
+
 
+
''This tutorial builds on the concepts covered in [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_User_.28non-admin.29|Logging in]], [[DreamFactory/Tutorials/Access_Using_JWT_and_API_Key|Access using JWT and API Key]], and [[DreamFactory/Tutorials/Refreshing_a_JWT|Refreshing a JWT]].''
+
 
+
You may configure user sessions to never expire if a client sets <code>"remember_me": true</code> at login. This means that a session may be refreshed forever without providing the user's credentials again. The initial <code>session_token</code> will be valid until the token TTL (time-to-live) expires, after which a new <code>session_token</code> value may be obtained by simply refreshing the original session. This may be repeated for the same session indefinitely, or until an explicit logout (session deletion).
+
  
 
== Configuration ==
 
== Configuration ==
  
To set up forever sessions, we will configure <code>DF_ALLOW_FOREVER_SESSIONS</code> and <code>DF_JWT_TTL</code> in the <code>.env</code> file. Note that <code>DF_JWT_REFRESH_TTL</code> will be ignored once <code>DF_ALLOW_FOREVER_SESSIONS</code> is set to <code>true</code>.
+
To set up forever sessions, configure <code>DF_ALLOW_FOREVER_SESSIONS</code> and <code>DF_JWT_TTL</code> in the <code>.env</code> file. Note that <code>DF_JWT_REFRESH_TTL</code> will be ignored once <code>DF_ALLOW_FOREVER_SESSIONS</code> is set to <code>true</code>.
  
 
The <code>.env</code> file for a DreamFactory instance is located at the installation's root directory. Refer to the example <code>.env-dist</code> file [https://github.com/dreamfactorysoftware/dreamfactory/blob/master/.env-dist provided in the GitHub repository here]. <br /> <br />
 
The <code>.env</code> file for a DreamFactory instance is located at the installation's root directory. Refer to the example <code>.env-dist</code> file [https://github.com/dreamfactorysoftware/dreamfactory/blob/master/.env-dist provided in the GitHub repository here]. <br /> <br />
Line 40: Line 34:
 
== Usage ==
 
== Usage ==
  
* Users instantiate sessions as documented in the [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_User_.28non-admin.29|Logging in]] tutorial.
+
* A forever session is instantiated if the client sets <code>"remember_me": true</code> at login.
* A forever session is instantiated if the client sets <code>"remember_me": true</code> at login, as documented in the [[DreamFactory/Tutorials/Logging_in#Log_in_as_an_User_.28non-admin.29|Logging in]] tutorial.
+
* Sessions may be refreshed to receive a new session token at any time, including after <code>DF_JWT_REFRESH_TTL</code> expires.
* Sessions may be refreshed to receive a new <code>session_token</code> as documented in the [[DreamFactory/Tutorials/Refreshing_a_JWT|Refreshing a JWT]] tutorial at any time, including after <code>DF_JWT_TTL</code> expires.
+
* If a session is deleted, it may no longer be refreshed. Logging in again with valid credentials will be required.
* If a session is deleted as documented in the [[DreamFactory/Tutorials/Logging_out|Logging out]] tutorial, it may no longer be refreshed. Logging in again with valid credentials will be required.
+

Revision as of 20:04, 30 June 2016

This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the DF_JWT_REFRESH_TTL timer expiring. By enabling forever sessions you can force the system to ignore DF_JWT_REFRESH_TTL and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after DF_JWT_TTL and require refreshing, but it can be refreshed forever.

Configuration

To set up forever sessions, configure DF_ALLOW_FOREVER_SESSIONS and DF_JWT_TTL in the .env file. Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true.

The .env file for a DreamFactory instance is located at the installation's root directory. Refer to the example .env-dist file provided in the GitHub repository here.

1. Set DF_ALLOW_FOREVER_SESSIONS


In .env, add or un-comment this line and set the value to true:
DF_ALLOW_FOREVER_SESSIONS=true

2. Set DF_JWT_TTL


In .env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new session_token after this many minutes.
DF_JWT_TTL=720
The above setting will require a session refresh every 12 hours (720 minutes).

3. Clear config


Run this command from the root directory for your DreamFactory instance installation.
php artisan config:clear

Usage

  • A forever session is instantiated if the client sets "remember_me": true at login.
  • Sessions may be refreshed to receive a new session token at any time, including after DF_JWT_REFRESH_TTL expires.
  • If a session is deleted, it may no longer be refreshed. Logging in again with valid credentials will be required.
Retrieved from "https://wiki.dreamfactory.com/index.php?title=DreamFactory/Tutorials/Forever_sessions&oldid=32524"