Two questions about authentication, one probably more advanced

62 views
Skip to first unread message

Robert Hall

unread,
Feb 14, 2015, 3:24:46 PM2/14/15
to sai...@googlegroups.com
I've been able to set up basic auth (yay!), working w/ policies and all. Really terrific stuff, people!

I'm wondering now about the sort of option often available on websites that allow you to be logged in for a specified time (often two weeks), which is a session based sort of thing. Does anyone have an example of implementing this sort of thing? How would you recommend going about it?

On the flip, I'm wondering if there's an easy way *in development mode only* to auto-auth, so I don't have to always sign in to work on pages.

Thoughts?

Thanks for an awesome framework!

Robert Hall

unread,
Feb 15, 2015, 10:41:24 PM2/15/15
to sai...@googlegroups.com
Okay, so I *finally* figured out—after much trial and error and SCOURING the Internets for answers and for ages it seems (heh)—

The answer for the second question is that sessions are persistent across start/stop of app *ONLY* w/ an actual session store (like Mongo or REDIS). This naturally makes sense, but it's not really documented anywhere solid. Maybe a good one to add to the documentation.

As for my other question, I suppose it's *sort of* answered implicitly by this realization, but I'm still open to ideas. How do you persist sessions best across weeks? A cookie? Do you initially search for a stored authentication token and keep the session if true, and dump the session if false?

Open to strategies. :)

Thanks.

Robert Main

unread,
Feb 16, 2015, 2:04:25 AM2/16/15
to Robert Hall, sai...@googlegroups.com

Hi Robert

I wouldn't be using sessions anyway. Go have a look at JWT :-)

Manuel Darveau

unread,
Feb 17, 2015, 10:43:06 PM2/17/15
to Robert Hall, sai...@googlegroups.com
Hi Robert,

I just open-sourced my implementation of the "remember me" login: https://github.com/mdarveau/session-rememberme/tree/master
It's really easy to integrate with sails and whatever persistence layer you use. I added the minimum required documentation, let me know if you have questions.

It is currently used by maligue.ca.

Manuel

Robert Main

unread,
Feb 18, 2015, 2:00:25 AM2/18/15
to Manuel Darveau, sai...@googlegroups.com, Robert Hall

Hi Robert

Have you had a look at jwt? The session validation for that is she cryptographically using bcrypt. Therefore there should be no need to store anything anywhere server side. Thus eliminating your problem.

Regards

Robert

Reply all
Reply to author
Forward
0 new messages