remember login doesn't seem to work from multiple devices #103

Open
nurpax opened this Issue Feb 5, 2014 · 6 comments

Comments

Projects
None yet
3 participants
Contributor

nurpax commented Feb 5, 2014

I keep having to sign into a Snap application even though I'm using the remember feature of loginUser.

I wonder if the remember feature only works for logins coming from a single device? E.g., if I'm logged in from let's say two mobile devices, one login overrides a remember token from another device?

Owner

mightybyte commented Feb 5, 2014

Yeah, I'm pretty sure you're right that we have a single login limitation. This is definitely something that should be fixed.

Contributor

nurpax commented Feb 5, 2014

I guess this is something that could be done in the Auth backend. Instead of storing the remember token in snap_auth_user.remember_token, separate that into another table so that multiple remember tokens can be persisted per user, and have the backend lookupByRememberToken query this table.

I suppose there'd also need to be some heuristic for deleting old remember tokens from this table so that it doesn't grow unnecessarily.

Member

ozataman commented Feb 7, 2014

A correction: We do NOT enforce a single login and we don't have a limitation there. You can in fact login from the same user from multiple browsers/computers and use your snap app simultaneously. Where we do have a limitation is in a single remember token per user. If you login from one computer, it will overwrite with its own remember token. If you then wait a while (expiring your login) and refresh the page from another computer, it will no longer "remember" you as the token got changed underneath.

A few ways to get around this in current auth design:

  • Extend your session timeout indefinitely and your users should never be logged out. Watch out for security though as the encrypted cookies can be intercepted and re-used by a middle man for authentication.
  • Create your remember token lookup table, determine the AuthUser that the user should be and call forceLogin, logging them in.

Your request is unfortunately a higher level policy concern; I'd have to think about it a bit to see if there's a simple way to do it.

Owner

mightybyte commented Feb 7, 2014

Ahh, yes. Oz is right. I thought we had the single login limitation because every time I tried multiple computers there was a long enough time delay between trying that the session timeout kicked in and caused the problem. So it looked to me like it was caused by multiple computers when it actually was caused by the timeout and the remember_token like he described.

Contributor

nurpax commented Feb 8, 2014

Yeah, I was talking about the "remember" feature (subject line of this issue, issue description), not session timeouts.

Contributor

nurpax commented Feb 8, 2014

@ozataman I'm the author of snaplet-sqlite-simple, and was asking more in the context of an Auth backend author, not so much as a Snap user (although I am both). It seems that the remember lookup table could be pretty easily handled in the Auth db backend. I filed this bug to get a design discussion going, as anything related to logins has serious security implications.

Edit: Sorry, I wasn't very clear in my bug report that I was looking for a) is this supposed to work and b) if not, how can we fix that.. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment