With Auth0, Using the SPA example, After performing a login, I see that that the user stays logged in on the next session without having to re-enter it’s credentials.
Two questions:
On the client side, I see that a cookie is created that enables the user to stay logged in without having to open the login screen. It looks like the default expiration time is 22 hours. Is there any way to extend this time frame?
Even if the the cookie expires, I see that the login screen does not require the user to re-enter it’s credentials and sends the token automatically. How long is the device authenticated without having to re-enter the user credentials? And can this be modified?
Thanks!
let auth0 = null;
const isAuthenticated = await auth0.isAuthenticated();
if(!isAuthenticated)
{
console.log('Not Authenticated, redirecting to login page');
await auth0.loginWithRedirect({
redirect_uri: window.location.href
});
}
else
{
console.log('Authenticated');
}
Here is the answer from Auth0 community form (Silent authentication was needed):
https://community.auth0.com/t/how-long-does-the-user-stay-logged-in-and-it-can-be-extended/38871
Related
I'm using the Firebase web sdk (JS) in a ReactNative app. My login is simple:
firebase.auth().signInWithEmailAndPassword(email, password)
it works fine. However, if the user backgrounds my app and comes back a few hours later, they are logged out (without them having explicitly logged out and without my app logging them out). There seems to be a 1 hour timeout on the login token but Firebase is NOT refreshing this token when the app is backgrounded or when the app comes back to the foreground.
This is a bad experience for my users since they are forced to login again when they come back the next day.
How can I force the Firebase SDK to refresh the login token even if the app is backgrounded or when it comes back into the foreground?
Or can I refresh it myself somehow when the app comes back to the foreground after a few hours?
Thanks!
Authentication state is automatically persisted across application restarts. But it will have to be loaded, and verified against the server, since the ID token expires each hour
My initial guess would be that the user state simply hasn't been restored yet, which you solve by using an auto state listener.
firebase.auth().onAuthStateChanged(function (user) {
if (user) {
... user is signed in
}
else {
... user is NOT signed in, show login screen
}
})
Also check out this checking the current authentication state in this blog post, which has an example of how to use the above approach in your React Native code.
This was entirely my fault. I had a line in my App.js render method like:
// Should have been wrapped in an if
store.dispatch(FirebaseAuth.signOutCurrentUser());
// XXX TODO login as known user for testing, DO NOT USE IN PRODUCTION
const autoLogoutAndLoginAsTestAccount = false;
if (__DEV__ && autoLogoutAndLoginAsTestAccount) {
store.dispatch(FirebaseAuth.signInWithEmailAndPassword({ email: "joel#test.com", password: "REDACTED" }));
}
which should have been
// XXX TODO login as known user for testing, DO NOT USE IN PRODUCTION
const autoLogoutAndLoginAsTestAccount = false;
if (__DEV__ && autoLogoutAndLoginAsTestAccount) {
store.dispatch(FirebaseAuth.signOutCurrentUser());
store.dispatch(FirebaseAuth.signInWithEmailAndPassword({ email: "joel#test.com", password: "REDACTED" }));
}
I had this in place so I wouldn't need to login each time I hot reloaded the RN code but although I had wrapped the autologin inside an if to prevent it from running in prod/testflight, I had not wrapped the autologout. So Firebase was doing what I asked it to and logging out the user every time it re-rendered the app (e.g. on restart).
I was using an auth listener and that was not the issue.
Sorry, this was a foolish mistake on my part and I feel embarassed since I'm normally very careful with my code and I just missed this. I didn't mean to waste anybody's time and thanks all for your careful answers. I'm posting this here in case it helps somebody in future.
Once I execute
firebase.auth().signInWithEmailAndPassword(email, password).then((user) => {
// here I save user to redux and set loggedIn to true
});
I am logged in. What next? My suggestions...
After login I go to main flow of App and in App.js I execute onAuthStateChanged(). And if I still get user I am still logged in, if not I set loggedIn key to false and redirect user to Login screen.
Next, I am using Redux persist to save loggedIn key between different launches of App.
But when (except I log out by myself) I'll be logged out? What period of life of auth session (if it exists) on firebase side? How it works?
.onAuthStateChanged() drives the sign-in state of your app. That's how it works.
firebase.auth().onAuthStateChanged(function (user) {
if(user){
//unhide non-public elements
} else {
//hide public elements
}
});
You then use Firebase Security Rules to control who has access to what information.
I am using Owin for authentication in my ASP.net MVC application:
app.UseApplicationSignInCookie();
app.UseFormsAuthentication(new FormsAuthenticationOptions()
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
ExpireTimeSpan = 64800 /* cookie valid for 48 Days */
});
In my database I store the users last login date and I use this to send mails to inactive users. If the user manually does a login on my site, I can easily update the database. But if the user has the 'remember me' Cookie set, Owin automatically re-authenticates the user and I never get signaled that this user did just start a new session.
Is there some sort of event which Owin fires as soon it has successfully authenticated a user in any way? I would expect something like that sample:
app.OnUserAuthenticated += () => {
var user = HttpContext.Current.User;
/* hooray i am authenticated */
};
As I'm not into OWIN yet I will suggest something else. You could hook up some code on the Session_Start event and check if the user is authenticated there. If the user is authenticated you can go ahead and update the information in your DB.
Why don't you just put middleware after the cookie middleware that looks for OwinContext.Authentication.User != null? This would basically do the same as the event you're looking for.
I have an ASP.NET MVC4 web application, and I would like to use Facebook to authenticate users.
My plan is to have users "Sign Up" with Facebook, and then login using it.
Now this is fine when a user comes to the site and logs in with the Facebook Login button I have setup, which goes through an /Account/FacebookLogin action. In that action I can grab the Auth Token and check it against an SQL database to then authenticate the user with all the extra fields/info I store about them in my database (It's a web based game so Character name etc)...
Now, if the user comes to my site and they are already logged into Facebook, they obviously don't go through that /Account/FacebookLogin action... I simply have access to the auth token through the
FB.getLoginStatus(function (response) {
if (response.status === 'connected') {
var accessToken = response.authResponse.accessToken;
//alert("User is logged in");
}
else if (response.status === 'not_authorized') {
//alert("User is not authorised");
}
else {
//alert("User is not connected to Facebook");
}
});
My question is... What can I do in the "if connected" code to authorize my user, without sending them into an infinite loop? I tried redirecting them to the /Account/FacebookLogin action and passing in the auth token etc. But the getLoginStatus callback is called on every page... so they get stuck in an infinite loop..
Facebook has given you access to someone's Facebook identity. You might now want to create a user account for that identity. Once that user has an account then you then need to get the user to authenticate themselves with your application (you can use the Facebook identity to do this if you wish to tie yourself to Facebook). You can then authorize that user to undertake certain actions within your application.
In the context of MVC, you could quite simply issue them with a forms authentication token:
var username = response.authResponse.name; // <- check the syntax on this
FormsAuthentication.SetAuthCookie(username, true);
return this.RedirectToAction("Index", "AuthorizedUsersOnlyController");
Looking to integrate a login page in an Appcelerator mobile app with ASP.NET membership.
A particular aspect I am looking at is how to keep the user logged in between mobile app sessions, i.e. after closing and re-opening the mobile app the user is still logged in
Ideally the process would go as follows
User enters login details to mobile app
Mobile app passes details to ASP.NET site
Site signs user in, and returns authentication cookie
Mobile app stores authentication cookie locally
For each mobile app site request, it passes the authentication cookie to the site
User logs out, clear local authentication cookie
Thinking because it is a mobile app, best to return data as a json object, for example,
if (Membership.ValidateUser(username, password)) {
FormsAuthentication.SetAuthCookie(username, true);
var json = new {
success = true,
username = username,
message = "Logged In",
authCookie = HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName]
};
return serializer.Serialize(json);
Is this process possible or should I be looking at a different solution?
Thanks for any help
Add this to your login page after the user is validated (after calling Membership.ValidateUser()):
FormsAuthentication.RedirectFromLoginPage(
FormsAuthentication.FormsCookieName, true
);
It's documented here.