Forever sessions
This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the DF_JWT_REFRESH_TTL timer expiring. By enabling forever sessions you can force the system to ignore DF_JWT_REFRESH_TTL and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after DF_JWT_TTL and require refreshing, but it can be refreshed forever.
Configuration
To set up forever sessions, configure DF_ALLOW_FOREVER_SESSIONS and DF_JWT_TTL in the .env file. Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true.
The .env file for a DreamFactory instance is located at the installation's root directory. Refer to the example .env-dist file provided in the GitHub repository here.
1. Set DF_ALLOW_FOREVER_SESSIONS
In .env, add or un-comment this line and set the value to true:
DF_ALLOW_FOREVER_SESSIONS=true
To make sure forever session is enabled, make the following API call.
GET http://{url}/api/v2/system/environment
Look for the following in your response.
...
"authentication":{
....
"allow_forever_sessions":true
....
}
...
2. Set DF_JWT_TTL
In .env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new session token after this many minutes.
DF_JWT_TTL=720
The above setting will require a session refresh every 12 hours (720 minutes).
3. Clear config
Run this command from the root directory for your DreamFactory instance installation.
php artisan config:clear
Usage
- A forever session is instantiated if the client sets
"remember_me": trueat login. - Forever sessions may be refreshed to receive a new session token at any time, including after
DF_JWT_REFRESH_TTLexpires. - If a session is deleted, it may no longer be refreshed. Logging in again with valid credentials will be required.
