Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Use remember_me with json_login #29729

Closed
remi-blaise opened this issue Dec 30, 2018 · 15 comments
Closed

[Security] Use remember_me with json_login #29729

remi-blaise opened this issue Dec 30, 2018 · 15 comments

Comments

@remi-blaise
Copy link
Contributor

Description
When using json_login authentication method, there is a boolean remember_me config key but this one is ignored for now. It would be wonderfull to be able to enable this feature, thus use it by passing a remember_me key in the body of the request.

Actual config:

security:
    firewalls:
        main:
            json_login:
                remember_me: true
            stateless: false

Example

POST /login HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/json
cache-control: no-cache
{
	"username": "...",
	"password": "...",
	"remember_me": true
}

Remember_me key could be set as username and password:

security:
    firewalls:
        main:
            json_login:
                remember_me_path: remember_me
@remi-blaise remi-blaise changed the title Use remember_me with json_login [Security] Use remember_me with json_login Dec 30, 2018
@florianajir
Copy link

+1

@Taluu
Copy link
Contributor

Taluu commented Aug 15, 2019

The json login is mostly used by apis, so I'm not sure it is pertinent to add a remember me feature...

@Cryde
Copy link

Cryde commented Aug 31, 2019

The json login is mostly used by apis, so I'm not sure it is pertinent to add a remember me feature...

At least It could be nice to be able to activate it ?

@florianajir
Copy link

The json login is mostly used by apis, so I'm not sure it is pertinent to add a remember me feature...

So if you enable remember-me feature on a client project using an api with session authentication (I know it's not the best but a possibility) the remember me from client is not enough, you can't keep the login status on the both side, so what is the most pertinent from your pov ?

@remi-blaise
Copy link
Contributor Author

It is usefull if you want to keep the user logged in without storing credentials on the client side.

@Taluu
Copy link
Contributor

Taluu commented Sep 4, 2019

Maybe but then, where do you store the "server credentials" if not on the client ? logging in through a json request should be stateless and not deliver any cookies (that should be done on the client side actually).

Unless you mean delivering a sort of a token through the api, but for that, I'd use a guard or something...

@Cryde
Copy link

Cryde commented Sep 4, 2019

Maybe but then, where do you store the "server credentials" if not on the client ? logging in through a json request should be stateless and not deliver any cookies (that should be done on the client side actually).

Why not ?

Unless you mean delivering a sort of a token through the api, but for that, I'd use a guard or something...

The problem with token stored in the client side is that this token won't be "httpOnly" and then accessible with javascript (your script and external script, but also hack, if there is a security breach or something)
The remember me cookie will be httpOnly

@Taluu
Copy link
Contributor

Taluu commented Sep 4, 2019

Beeecause a cookie is not stored on client side ? That's new. And nothing prevents you from making a token usable only through http (it's called a bearer auth token). What you're trying to make is basically a stateful api...

Still not convinced.

@Cryde
Copy link

Cryde commented Sep 4, 2019

Beeecause a cookie is not stored on client side ? That's new.

I didn't meant that. Didn't explained well, sorry.
I mean that you can't generate httpOnly cookie from Javascript (from client)

A lot of scenario that I saw on the web to make an app (with vueJS for instance - and this will call for stuff through API) is that you login through json and then it return you a "token".
Some suggest to store this "token" in webstorage or cookie (but from the client)

And nothing prevents you from making a token usable only through http (it's called a bearer auth token). What you're trying to make is basically a stateful api...

Didn't know that. I will investigate

Thanks !

@Cryde
Copy link

Cryde commented Sep 9, 2019

Ok so you are suggesting something like JWT ?
So instead of using a remember-me cookie that is working kind-of "out of the box" I should install JWT bundle + JWT bundle that will refresh my token ?

Why is it bad to have a statefull API ?

@florianajir
Copy link

florianajir commented Sep 10, 2019

+1 for @Cryde even if it's not considered as a good practice in web api architecture, it should be a matter of choice to be stateful or stateless. Especially when the config key is available.

@carsonbot
Copy link

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

@carsonbot
Copy link

Friendly ping? Should this still be open? I will close if I don't hear anything.

@carsonbot
Copy link

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!

@Cryde
Copy link

Cryde commented Feb 26, 2023

This new feature will address this I guess : #48899

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants