Forever sessions
This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the DF_JWT_REFRESH_TTL timer expiring. By enabling forever sessions you can force the system to ignore DF_JWT_REFRESH_TTL and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after DF_JWT_TTL and require refreshing, but it can be refreshed forever.
Configuration
To set up forever sessions, configure DF_ALLOW_FOREVER_SESSIONS and DF_JWT_TTL in the .env file. Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true.
The .env file for a DreamFactory instance is located at the installation's root directory. Refer to the example .env-dist file provided in the GitHub repository here.
1. Set DF_ALLOW_FOREVER_SESSIONS
-
- In
.env, add or un-comment this line and set the value totrue: -
DF_ALLOW_FOREVER_SESSIONS=true
-
2. Set DF_JWT_TTL
-
- In
.env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a newsession_tokenafter this many minutes. -
DF_JWT_TTL=720
- The above setting will require a session refresh every 12 hours (720 minutes).
-
3. Clear config
-
- Run this command from the root directory for your DreamFactory instance installation.
php artisan config:clear
Usage
- A forever session is instantiated if the client sets
"remember_me": trueat login. - Sessions may be refreshed to receive a new session token at any time, including after
DF_JWT_REFRESH_TTLexpires. - If a session is deleted, it may no longer be refreshed. Logging in again with valid credentials will be required.
