This is the way I generate a token for the user,
$token = $user->createToken('app_token')->plainTextToken;
Is there any way to automatically expire this token after a certain amount of time? (Which means automatically deleting the token record from personal_access_tokens table)
You can do this via the expiration configuration option defined in your application's sanctum configuration file.
'expiration' => 525600,
Token will be considered as expired after this time. if you want to delete that token from the database in that case you have to schedule tasks like this
$schedule->command('sanctum:prune-expired --hours=24')->daily();
This scheduled task will delete all expired tokens from the database
Related
I'm using Tymon JWT package in my Laravel project, and I need to invalidate the token of the connected user after 4 hours of inactivity.
In the config file of the package I can set the TTL time for a token as : 'ttl' => env('JWT_TTL', 240), and the user will be logged out every 4 hours even if he was active, but I only want that to happen if the user wasn't active during the whole 4 hours.
To have the token expire after the user goes idle, you have to reissue a token on every request with a new expiration
I believe you are also looking for exp, not ttl.
Tokens are minted by the server at a specific time. You cannot modify a token, but you can make a new one. Only the server can mint tokens. Most of the time, the server uses a Public-Private key, and signs the token with the private key. Therefore the user cannot modify it without failing verification.
Just set the token the next time the user makes a request. That is a common practice when using JWTs. It isn't much overhead to set it, and that will take care of the '4 hours of inactivity' signout.
I have a webapp that uses persistent cookies to allow a user to stay logged it.
I am using the Improved Persistent Login Cookie method.
https://www.programering.com/a/MDO0MzMwATA.html
https://www.experts-exchange.com/questions/29006560/selector-validator-cookies.html
When a user is logging in through the LOGIN form and has asked to be remembered I generate a random selector and a random token and add these to a table called Session in my DB along with the userID and other values(IP,time,browser,whaterver). I also set a cookie called KeepMeLoggedIn with the value selector:token and expire in 30 Days.
When the user returns to the site (before or after the PHP Session/Code Igniter has expired) I check for $_SESSION variable, if none found I look for my KeepMeLoggedIn cookie. If the cookie returns a value I check it against my Session table to see if the selector and token match. If they match I reset the token and store it back in the DB and cookie is updated to the new selector:token value and the login process completes.
When a user logs out I destroy the cookie and session and delete the entry in the DB for the selector.
All this is working great except for when a user deleted the cookies manually. The record in my Session table is orphaned. In testing my system I ended up with 50+ records in my Session table that were from the cookies I manually deleted while testing the logic. Since I manually deleted the cookie the selector was not available to the code to be deleted/removed from the Session DB.
So here is my questions:
1) What is a usable approach to handling these orphaned record?
My first thought is just purge the Session table of any date older then my chosen expiration date for the Remember Me function, either when a user logs in, or in a chron job, or whenever
Are there any other ideas here?
2) Is this a vulnerability in the overall model that can allow a hacker to:
create an account on a website
x=1
while x <2
-> login and ask to be remembered
-> delete the cookie
do();
And end up flooding the website's Session Table till the site is shut down, adding 1,000 and 1,000 of record over time??
I'm building my first API with JWT. I'm using this boilerplate project: https://github.com/krisanalfa/lumen-jwt
I managed to make it work well, but I'm having a big problem: the user token expires after some time, logging the user off the application. I've read on the documentation of the project to call /api/auth/refresh to refresh the token, but right now it seems to me that it has two major drawbacks:
1) You have to make a single call to the API just to refresh the token, I would imagine that you would have to set up a timer to call it every X minutes (time of token expiration).
2) If the user turns off the computer for 3 hours, when he turns it back on, the token will already have expired, rendering the refresh unusable, and logging the user off.
Since I'm new to this, am I missing something? How can I make the token refresh cycle work without these drawbacks?
Taking your two points.
1) You can make an token valid for only a single use, but using blacklist feature. This however isn't entirely necessary.
In my own project, I gave tokens a 5 minute expiry, but I also applied the jwt-refresh middleware to my authenticated routes (wrapped in a route group), so that a new token was returned with every request.
2) You can also specify a refresh expiry, which is the window during which an expired token can be authenticated. This is usually much longer than a token. I used 14 days.
Therefore, if a user leaves your website for 3 hours and comes back, their token will have expired. But your app should attempt to refresh that token in the background and then re-attempt the original request.
Give some thought to the obvious security implications of the respective token lifetimes. 5 minutes is a short window for abuse, but if an expired token can be refreshed for up to 14 days, that increases the risk, unless you're blacklisting it.
I have an access to an API under this link:
https://api.adform.com/Services/Security/Login?username=api_user&password=mypassword&callback=JsonPCallBack
It gets me back a ticket id in such manner:
JsonPCallBack({
"Ticket": "GEZDIMZRHFTDEZRYGVSTEMJNGM2DMLKMNGRRWGMZNHA4DIMRNGE4DAZRTMVRTKMJXMUZSYTKXLEZEETSQJQ3DINKBGRDTMMSHJFBUMQKSGNLDKM2PKFFVITCG"
})
The issue is that every 3 hours it expires.
How would you make with php so that the script would regenerate itself evey 3 hours and save the ticket into:
$config = array(
"ticket" => "GEZDIMZRHFRWGMZQGJSWKZRNGYYTCOLDMDNRSWCZRNMIYTIMJNMNSWGZTBHA2DGYLBGI4CYN2CJNBDIU2KIVBUEWSUKZHTOSKBIRKUYU2EIVLFUR2WKRBFKWCI"
);
Thanks!
You can do the following which is very similar to managing OAuth access token refresh:
Whenever you retrieve a SOAP authentication ticket, calculate the expiration time by adding 3 hours (or slightly less) to the current time.
Save the expiration time along with the SOAP authentication ticket.
Before each subsequent request, compare the current time with the expiration time. If the current time is past the authentication ticket expiration time, retrieve another SOAP authentication ticket and save it with the new expiration time before making the request.
In case you make a request and receive an error, try to re-authenticate, get a new authentication ticket and make the request again.
This approach has the follow benefits:
Only retrieve a new authentication ticket when you think you need it.
Automatic refresh in case your ticket has expired or is otherwise invalidated.
No need to run an external process.
in login window and Auth managment i cant set lifetime correctly. how to set that before creating a session such as:
Config::set('session.lifetime', '60');
second parameter is random and user can change that in login window
You definitely should not change server's session lifetime in Laravel instance for each individual user. Instead, store session expiration time for individual user somewhere in database, next to the user data with the timestamp of last user activity. Whenever difference between last user activity and new request will be more then expiration time (that you saved in database), do Session::flush()