Login Expiry
69 views
Skip to first unread message
Jay Kyburz
Oct 9, 2013, 4:22:39 PM10/9/13
to gae-sim...@googlegroups.com
Hello Alex and folks,
Yesterday I went live with my Simple Auth implementation. I was using standard Federated Identities until now.
I've had some feedback that some users have been asked to log in multiple times throughout the day. All using Google OpenID's
In my application settings I have cookie expiration set to two weeks. Will this setting still be honored by SimpleAuth by default?
What would cause some users to have to log in repeatedly?
Jay.
Yesterday I went live with my Simple Auth implementation. I was using standard Federated Identities until now.
I've had some feedback that some users have been asked to log in multiple times throughout the day. All using Google OpenID's
In my application settings I have cookie expiration set to two weeks. Will this setting still be honored by SimpleAuth by default?
What would cause some users to have to log in repeatedly?
Jay.
alex
Oct 9, 2013, 4:48:37 PM10/9/13
to Jay Kyburz, gae-sim...@googlegroups.com
Hi Jay!
> In my application settings I have cookie expiration set to two weeks. Will
> this setting still be honored by SimpleAuth by default?
Definitely yes. SimpleAuth doesn't manage cookies, it relies on
whatever implementation you have in the app (usually it would be
webapp2's sessions module).
In addition, OpenID authentication is completely outsourced to
Google's infrastructure, so simpleauth does almost nothing when
authenticating against an OpenID provider thanks to App Engine.
> What would cause some users to have to log in repeatedly?
Really hard to say w/o seeing the code.
As stupid as it might sound, could it be that your app was sending
users to different domains (or even just protocols, http vs https)?
> --
> You received this message because you are subscribed to the Google Groups
> "SimpleAuth for GAE" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gae-simpleaut...@googlegroups.com.
> Visit this group at http://groups.google.com/group/gae-simpleauth.
> For more options, visit https://groups.google.com/groups/opt_out.
> In my application settings I have cookie expiration set to two weeks. Will
> this setting still be honored by SimpleAuth by default?
whatever implementation you have in the app (usually it would be
webapp2's sessions module).
In addition, OpenID authentication is completely outsourced to
Google's infrastructure, so simpleauth does almost nothing when
authenticating against an OpenID provider thanks to App Engine.
> What would cause some users to have to log in repeatedly?
As stupid as it might sound, could it be that your app was sending
users to different domains (or even just protocols, http vs https)?
> You received this message because you are subscribed to the Google Groups
> "SimpleAuth for GAE" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gae-simpleaut...@googlegroups.com.
> Visit this group at http://groups.google.com/group/gae-simpleauth.
> For more options, visit https://groups.google.com/groups/opt_out.
Jay Kyburz
Oct 10, 2013, 2:25:02 AM10/10/13
to gae-sim...@googlegroups.com, Jay Kyburz
I wish it was that simple but no, same domain and protocol.
From what I can tell, by default cookies only last until the client is closed.
http://webapp-improved.appspot.com/api/webapp2_extras/sessions.html
I will try setting a session_max_age somewhere and see if that does the trick.
From what I can tell, by default cookies only last until the client is closed.
http://webapp-improved.appspot.com/api/webapp2_extras/sessions.html
I will try setting a session_max_age somewhere and see if that does the trick.
alex
Oct 10, 2013, 4:16:28 AM10/10/13
to Jay Kyburz, gae-sim...@googlegroups.com
Right, that could definitely be another reason. Let me know if it
solves the problem!
solves the problem!
Jay Kyburz
Dec 8, 2013, 10:00:38 PM12/8/13
to gae-sim...@googlegroups.com, Jay Kyburz
Hey Alex,
I never was able to change the duration of the auth cookie.
If you remember right now its set to "session" by default, and this means that every time a user closes the browser they need to log in again.
This is not a problem most of the time, but my iPad uses find it very annoying because they get logged out every time they open up an app that is not the browser.
I would love some help working out how to set the session_max_age. Everything I tried failed.
Jay.
I never was able to change the duration of the auth cookie.
If you remember right now its set to "session" by default, and this means that every time a user closes the browser they need to log in again.
This is not a problem most of the time, but my iPad uses find it very annoying because they get logged out every time they open up an app that is not the browser.
I would love some help working out how to set the session_max_age. Everything I tried failed.
Jay.
alex
Dec 10, 2013, 3:34:56 AM12/10/13
to Jay Kyburz, gae-sim...@googlegroups.com
Right, so this is how it always worked out for me:
config = {
'webapp2_extras.sessions': {
'cookie_args': { 'max_age': 86400 }
...
},
}
app = webapp2.WSGIApplication(routes=[...], config=config)
There are other useful cookie_args keys described here:
http://webapp-improved.appspot.com/api/webapp2_extras/sessions.html
'webapp2_extras.sessions': {
'cookie_args': { 'max_age': 86400 }
...
},
}
app = webapp2.WSGIApplication(routes=[...], config=config)
There are other useful cookie_args keys described here:
http://webapp-improved.appspot.com/api/webapp2_extras/sessions.html
Hope this helps!
Alex.
alex
Dec 11, 2013, 1:51:12 AM12/11/13
to Jay Kyburz, gae-sim...@googlegroups.com
Ah sorry. Yeah, there's another piece of config that should go into
'webapp2_extras.auth' if you want to tune auth session parameters.
webapp2 uses two separate sections, one for a generic session and a
separate only for the authentication stuff:
http://webapp-improved.appspot.com/api/webapp2_extras/auth.html#module-webapp2_extras.auth
On 11 December 2013 07:27, Jay Kyburz <j...@jaykyburz.com> wrote:
> I have some strange behaviour..
>
> my config looks like this.
>
> # webapp2 config
> app_config = {
> 'webapp2_extras.sessions': {
> 'cookie_args': { 'max_age': 604800 },
> 'cookie_name': '_simpleauth_sess',
> 'secret_key': SESSION_KEY
> },
> 'webapp2_extras.auth': {
> 'user_attributes': []
> }
> }
>
> I looks like when logging in using Google / Yahoo (ie the built in Federated
> Identity) I don't get a cookie called "_simpleauth_sess'. Instead my cookie
> is called "auth". The" auth" cookie ignores the max age setting.
>
> When I login with Facebook I get both the "_simpleauth_sess" cookie and the
> "auth" cookie.
>
> Seems like the auth cookie is all that is needed though. Do you fall back to
> auth if the _simplauth_sess cookie is not found?
>
> I see that when I login using Yahoo on https://simpleauth.appspot.com/ I get
> both cookies so I must have broken something somewhere with my OpenID
> implementation.
>
>
> Jay.
'webapp2_extras.auth' if you want to tune auth session parameters.
webapp2 uses two separate sections, one for a generic session and a
separate only for the authentication stuff:
http://webapp-improved.appspot.com/api/webapp2_extras/auth.html#module-webapp2_extras.auth
On 11 December 2013 07:27, Jay Kyburz <j...@jaykyburz.com> wrote:
> I have some strange behaviour..
>
> my config looks like this.
>
> # webapp2 config
> app_config = {
> 'webapp2_extras.sessions': {
> 'cookie_args': { 'max_age': 604800 },
> 'cookie_name': '_simpleauth_sess',
> 'secret_key': SESSION_KEY
> },
> 'webapp2_extras.auth': {
> 'user_attributes': []
> }
> }
>
> I looks like when logging in using Google / Yahoo (ie the built in Federated
> Identity) I don't get a cookie called "_simpleauth_sess'. Instead my cookie
> is called "auth". The" auth" cookie ignores the max age setting.
>
> When I login with Facebook I get both the "_simpleauth_sess" cookie and the
> "auth" cookie.
>
> Seems like the auth cookie is all that is needed though. Do you fall back to
> auth if the _simplauth_sess cookie is not found?
>
> I see that when I login using Yahoo on https://simpleauth.appspot.com/ I get
> both cookies so I must have broken something somewhere with my OpenID
> implementation.
>
>
> Jay.
Reply all
Reply to author
Forward
0 new messages