Longtime valid login session

mgoldbeck · April 5, 2017, 1:19pm

Hi there,

I want to have a longtime valid Login, which should be valid a a user logs himself out (“remember my login” function).
So if a user revisits the page is still logged in.
But after some time the Session disappears from the persistent Cache and you have to login again.

# Flow_Session_*
Flow_Session_MetaData:
  backend: TYPO3\Flow\Cache\Backend\SimpleFileBackend
  persistent: true
Flow_Session_Storage:
  backend: TYPO3\Flow\Cache\Backend\SimpleFileBackend
  persistent: true

Is SimpleFileBackend the right thing to use? Or do I need further configuration?

/**
 * A caching backend which stores cache entries in files, but does not support or
 * care about expiry times and tags.
 *
 * @api
 */
class SimpleFileBackend extends IndependentAbstractBackend implements PhpCapableBackendInterface, IterableBackendInterface

Thanks for your help,

Markus

christianm · April 5, 2017, 1:37pm

SimpleFileBackend is a bad idea for this AFAIK, because it doesn’t support tagging and lifetimes.

Keep the default ones if you use file caches. Also make sure those are definitely not deleted on deploy.

mgoldbeck · April 5, 2017, 1:40pm

First I tried

backend: TYPO3\Flow\Cache\Backend\FileBackend

but same experience. But with both “solutions” they are not deleted after an deployment.

And forgot to mention lifetime is set to an year.

stolle · April 5, 2017, 1:58pm

Did you try to use Redis as a backend? We do use redis and got no issues so far

mgoldbeck · April 5, 2017, 5:37pm

No I didn’t, but will give it a try. Thought it would work with a normal filesystem cache and took this https://github.com/neos/neos-googleanalytics/blob/master/Configuration/Caches.yaml for example as a “last try”, as the configuration stays there in the cache.

And will also have a look again at the Settings.yaml options of session.

Thanks for the tip.

bwaidelich · April 6, 2017, 10:45am

A different approach: Instead of using a server-side session for these long lived authentications, use a cookie. That will allow you to set the cookie expiration based on the user’s choice (remember me?) as well.
Therefore the cookie needs to contain all the information of your session of course, thus it has to be signed so it can’t be altered.
One way to do so is to store the cookie as JWT. Here’s an example implementation for Flow: https://gist.github.com/bwaidelich/0932b015cfffd20ef40c919a78c439a8

You can also bind the JWT to some client specifics (IP, user agent, …) and give it an expiration date for increased security (you could extend the lifetime in the background if it’s about to expire).

Just an inspiration, if you make it work with server sessions that’s probably easier to implement

mgoldbeck · April 7, 2017, 8:47am

Thanks @bwaidelich .But I wanted to use the server sessions as I am using different login methods like “normal” frontend login and some social login (google and facebook) with https://github.com/Flowpack/Flowpack.OAuth2.Client

But with the following Configuration it works for me. Had some priority issues of the config and overlooked the setting for inactivityTimeout

# Caches.yaml
# Flow_Session_*
Flow_Session_MetaData:
  backend: TYPO3\Flow\Cache\Backend\FileBackend
  persistent: true
Flow_Session_Storage:
  backend: TYPO3\Flow\Cache\Backend\FileBackend
  persistent: true

# Settings.yaml
 TYPO3 
  Flow:
    session:
    	# set to a yaer
      inactivityTimeout: 31536000
      cookie:
        lifetime: 31536000

bwaidelich · April 7, 2017, 8:49am

That wouldn’t be a problem. You can mix them as you like.
Anyways, good that you found a way to solve it with persistent sessions.