New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Use remember_me with json_login #29729
Comments
+1 |
The json login is mostly used by apis, so I'm not sure it is pertinent to add a remember me feature... |
At least It could be nice to be able to activate it ? |
So if you enable remember-me feature on a client project using an api with session authentication (I know it's not the best but a possibility) the remember me from client is not enough, you can't keep the login status on the both side, so what is the most pertinent from your pov ? |
It is usefull if you want to keep the user logged in without storing credentials on the client side. |
Maybe but then, where do you store the "server credentials" if not on the client ? logging in through a json request should be stateless and not deliver any cookies (that should be done on the client side actually). Unless you mean delivering a sort of a token through the api, but for that, I'd use a guard or something... |
Why not ?
The problem with token stored in the client side is that this token won't be "httpOnly" and then accessible with javascript (your script and external script, but also hack, if there is a security breach or something) |
Beeecause a cookie is not stored on client side ? That's new. And nothing prevents you from making a token usable only through http (it's called a bearer auth token). What you're trying to make is basically a stateful api... Still not convinced. |
I didn't meant that. Didn't explained well, sorry. A lot of scenario that I saw on the web to make an app (with vueJS for instance - and this will call for stuff through API) is that you login through json and then it return you a "token".
Didn't know that. I will investigate Thanks ! |
Ok so you are suggesting something like JWT ? Why is it bad to have a statefull API ? |
+1 for @Cryde even if it's not considered as a good practice in web api architecture, it should be a matter of choice to be stateful or stateless. Especially when the config key is available. |
Thank you for this suggestion. |
Friendly ping? Should this still be open? I will close if I don't hear anything. |
Hey, I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen! |
This new feature will address this I guess : #48899 |
Description
When using
json_login
authentication method, there is a booleanremember_me
config key but this one is ignored for now. It would be wonderfull to be able to enable this feature, thus use it by passing aremember_me
key in the body of the request.Actual config:
Example
Remember_me key could be set as username and password:
The text was updated successfully, but these errors were encountered: