Forever sessions
Toddappleton (Talk | contribs) |
(→Configuration) |
||
| Line 1: | Line 1: | ||
This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the <code>DF_JWT_REFRESH_TTL</code> timer expiring. By enabling forever sessions you can force the system to ignore <code>DF_JWT_REFRESH_TTL</code> and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after <code>DF_JWT_TTL</code> and require refreshing, but it can be refreshed forever. | This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the <code>DF_JWT_REFRESH_TTL</code> timer expiring. By enabling forever sessions you can force the system to ignore <code>DF_JWT_REFRESH_TTL</code> and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after <code>DF_JWT_TTL</code> and require refreshing, but it can be refreshed forever. | ||
| − | == Configuration == | + | ==Configuration== |
To set up forever sessions, configure <code>DF_ALLOW_FOREVER_SESSIONS</code> and <code>DF_JWT_TTL</code> in the <code>.env</code> file. Note that <code>DF_JWT_REFRESH_TTL</code> will be ignored once <code>DF_ALLOW_FOREVER_SESSIONS</code> is set to <code>true</code>. | To set up forever sessions, configure <code>DF_ALLOW_FOREVER_SESSIONS</code> and <code>DF_JWT_TTL</code> in the <code>.env</code> file. Note that <code>DF_JWT_REFRESH_TTL</code> will be ignored once <code>DF_ALLOW_FOREVER_SESSIONS</code> is set to <code>true</code>. | ||
Revision as of 20:47, 14 July 2016
This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the DF_JWT_REFRESH_TTL timer expiring. By enabling forever sessions you can force the system to ignore DF_JWT_REFRESH_TTL and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after DF_JWT_TTL and require refreshing, but it can be refreshed forever.
Configuration
To set up forever sessions, configure DF_ALLOW_FOREVER_SESSIONS and DF_JWT_TTL in the .env file. Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true.
The .env file for a DreamFactory instance is located at the installation's root directory. Refer to the example .env-dist file provided in the GitHub repository here.
1. Set DF_ALLOW_FOREVER_SESSIONS
In .env, add or un-comment this line and set the value to true:
DF_ALLOW_FOREVER_SESSIONS=true
To make sure forever session is enabled, make the following API call.
GET http://{url}/api/v2/system/environment
Look for the following in your response.
...
"authentication":{
....
"allow_forever_sessions":true
....
}
...
2. Set DF_JWT_TTL
In .env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new session token after this many minutes.
DF_JWT_TTL=720
The above setting will require a session refresh every 12 hours (720 minutes).
3. Clear config
Run this command from the root directory for your DreamFactory instance installation.
php artisan config:clear
Usage
- A forever session is instantiated if the client sets
"remember_me": trueat login. - Forever sessions may be refreshed to receive a new session token at any time, including after
DF_JWT_REFRESH_TTLexpires. - If a session is deleted, it may no longer be refreshed. Logging in again with valid credentials will be required.
