Session expiration


#1

It saddens me that i can not allow a user session to NEVER expire until log out… So i looked into just on log in setting my user’s session expiration time to say a year in the future. But that doesn’t seem to be possible either. is there a way to on log in override the ticket expiration? or maybe in roles asign a default of 1year to a given user type?


Session Duration - Clarification
Permanent Token not possible, right?
Session Duration - Clarification
#2

Hey Erik, session override will be in version 1.6 shipping next week. I will post instructions once I talk to Lee, who implemented the code.

Cheers,
Ben


#3

Erik,

After running this by engineering, Lee was able to provide some valuable insight that is a temporary fix for the session expiration issue. Know that this is no “fix” for this in release 1.6, but a real fix will come in 2.0 when we re-write session handling.

But you can get it to work using the default session and the “duration” url parameter on login. Here is what you have to do (which I assume will not be ideal for clients because it deals with cookies).

This currently works by setting a "duration" field greater than 0 (default) in the login request as below (the launchpad checkbox currently sets the duration = 3600 * 24 * 30 i.e. 30 days).

curl -i -k -3 -X POST http://localhost/rest/user/session \

-H “X-DreamFactory-Application-Name: todojquery”
 -d ‘{ “email” : "test@dreamfactory.com", “password” : “Password123”, “duration”: 3600 }’

The -i option above dumps response headers. You will see that the server is setting the session cookie as well as an additional hashed cookie that can be used to “re-create” the session later after it “expires”. Notice the “expires” value.

Set-Cookie:PHPSESSID=ediaffcjdlukhi9jflpntl7ch3; path=/SetCookie:279d658aeca916be9eda1385aac9b2fd=94cdd89f843b42d076b701ca53c6f81d00d8cc6fa%3A4%3A%7Bi%3A0%3Bi%3A11%3Bi%3A1%3Bs%3A20%3A%22lee%40dreamfactory.com%22%3Bi%3A2%3Bi%3A3600%3Bi%3A3%3Ba%3A6%3A%7Bs%3A12%3A%22display_name%22%3Bs%3A9%3A%22Rob+Hicks%22%3Bs%3A5%3A%22email%22%3Bs%3A20%3A%22lee%40dreamfactory.com%22%3Bs%3A10%3A%22first_name%22%3Bs%3A3%3A%22Rob%22%3Bs%3A9%3A%22last_name%22%3Bs%3A5%3A%22Smith%22%3Bs%3A8%3A%22password%22%3Bs%3A60%3A%22%242a%2413%24x6bj8fWK4owneNoi0WcaUOkyIZVjdetb4VJUYyGRSKrTKm1tt0BzK%22%3Bs%3A16%3A%22df_authenticated%22%3Bb%3A0%3B%7D%7D; expires=Wed, 11-Jun-2014 13:03:06 GMT; path=/

While we recommend using the X-DreamFactory-Session-Token in following calls after the login, which works until the aforementioned garbage collection runs, it will not work indefinitely due to the current header processing. So calls like this…

curl -i -k -3 -X GET http://localhost/rest/db/todo 
 -H “X-DreamFactory-Application-Name: todojquery”
 -H “X-DreamFactory-Session-Token: o4h6bfel1hmslti69e2880ia17”

Will eventually give you the “No valid session” error. What does work is to send the cookies (both of them) generated from the above login, but not the X-DreamFactory-Session-Token which overrides this behavior.

curl -i -k -3 -X GET http://localhost/rest/db/todo 
 -b “PHPSESSION=onp2sanr1o4sjc41p66b1sgmv6; 279d658aeca916be9eda1385aac9b2fd=94cdd89f843b42d076b701ca53c6f81d00d8cc6fa%3A43A%7Bi%3A0%3Bi%3A11%3Bi%3A1%3Bs%3A203A%22lee%40dreamfactory.com22%3Bi%3A2%3Bi%3A3600%3Bi%3A3%3Ba%3A63A%7Bs3A123A%22display_name22%3Bs%3A93A%22Rob+Hicks22%3Bs%3A53A%22email22%3Bs%3A203A%22lee%40dreamfactory.com%22%3Bs%3A10%3A%22first_name%22%3Bs%3A3%3A%22Rob%22%3Bs%3A9%3A%22last_name%22%3Bs%3A53A%22Smith22%3Bs%3A83A%22password22%3Bs%3A603A%22242a%2413%24x6bj8fWK4owneNoi0WcaUOkyIZVjdetb4VJUYyGRSKrTKm1tt0BzK%22%3Bs%3A16%3A%22df_authenticated%22%3Bb%3A03B7D%7D; expires=Wed, 11-Jun-2014 18:09:05 GMT; path=/” \ -H “X-DreamFactory-Application-Name: todojquery”

This causes the session to be regenerated (though it doesn’t seem to have everything stored in it as we do on login) and processes the call as normal.

Logout kills the duration cookie and the session expires and is garbage collected…

curl -i -k -3 -X DELETE http://localhost/rest/user/session \

-H “X-DreamFactory-Application-Name: todojquery”
 -H “X-DreamFactory-Session-Token: o4h6bfel1hmslti69e2880ia17”

Date:Wed, 11 Jun 2014 12:23:20 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMTKeep-Alive:timeout=5, max=100Set-Cookie:279d658aeca916be9eda1385aac9b2fd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

Hopefully, this clears thing up for you until there is a permanent fix for this issue which will be in a future release (2.0) - Have a good one, Erik!

  • Mark

Lifetime session for user
Lifetime session for user
#4

Hi,
I’m running 1.7, but I can’t find this option anywhere. Can you help me out here? Thanks.


#5

If you write an app that runs in the browser it can POST to /rest/user/session to log in to the DSP. You include a duration > 0 to enable the session timeout option. Is that what you are asking?

POST { “email” : "test@dreamfactory.com", “password” : “mypassword”, “duration”: 3600 }