feature request : 'remember me' checkbox, cookies to resume session #16

Closed
laurentdebricon opened this Issue Sep 25, 2012 · 7 comments

Projects

None yet

6 participants

@laurentdebricon

i'll try to code something for a 'remember me' checkbox. With it, i'll be able to restore a session with cookie saved in the client browser.

if 'remember me' is checked in the webpage when loggin, the node app on the server creates two cookies : id and token with an expiration date of Today + 30 days. Token is something random and long like 40 char. It is stored in database with NOW date/time. (It could be great to reuse connect.sid but don't know how without messing deep into connect code)

Then in the node app in ensureAuthenticated function,
I have to modify it, so if session is dead, check if cookie 'id' & 'token' were sent and have a look in database to check if the couple id,token is in db.

If yes, delete the entry id,token,date in db and insert a new one generated. Also every 30 days, delete too old 'id,token' from db.
Also, create a cookie named 'weak' because this cookie authentification is weaker than a real login with 'id,password'. So if in the backend there are some unsafe operations for the user like 'delete account' or something about money, you have to ask the user a stronger authentification with the password.

All this is based on security stuffs i've read on StackOverflow (cookie stealing ...) but I would be pleased to know if I'm going right/wrong, advices, and why it hasn't been done, maybe because i'm wrong ...

Thank you

@rorymadden

Did you get anywhere with a remember me checkbox for passport? I would also like this feature.

Thanks

@laurentdebricon

no :( :)

@manuelbieh

Can't you just add a check to the ensureAuthenticated function to you see if there's a user with username + token from a cookie? The cookie can be set manually after successful login (successRedirect).

I'm not too deep into passport yet but it looks like it just calls the ensureAuthenticated function which either calls next() or not. So adding the cookie manually shouldn't be a problem here?!

function ensureAuthenticated(req, res, next) {
    if(req.isAuthenticated()) {
        return next();
    } else {
        if(checkDBforUser(req.cookies['username'], req.cookies['token'])) {
            return next();
        } else {
            res.redirect('/login')
        }
    }
}

Only an assumption. I'm not that deep into passport as I said. Discovered it a week ago and I'm now trying to solve the same problem ;)

@devpascoe

No update on this? Would make dev easier. Logging in over and over.... ;)

@andr3w321
Contributor

I added an example with some hacks to get this working until it's fully implemented as another middleware or however Jared wants to do it eventually. https://github.com/jaredhanson/passport-local/tree/master/examples/express3-mongoose-rememberme

@jaredhanson
Owner

I put together a Remember Me cookie strategy: passport-remember-me

It's an initial release, so there may be a few rough edges, but I think it covers what you're requesting. If you find any problems, open an issue on that project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment