Forever Session not refreshing

r00tb33r · September 26, 2019, 7:52pm

Contents of .env:

...
DF_JWT_TTL=1
DF_JWT_REFRESH_TTL=20160
DF_ALLOW_FOREVER_SESSIONS=true
...

My understanding of the environment configuration:
DF_JWT_TTL sets how soon a session token expires, a value of 1 means 1 minute (for testing)

DF_JWT_REFRESH_TTL sets the time window of when an expired session token can be refreshed to receive a new one without logging in again, a value 20160 means 20160 minutes or 2 weeks

DF_ALLOW_FOREVER_SESSIONS sets the ability to keep one session refreshing again and again (receiving a new session token every time), so long as DF_JWT_REFRESH_TTL does not run out between refreshes

Configuration cache cleared using:
php artisan config:clear

Environment API call returns:

  ...
}
},
"oauth": [],
"adldap": [],
"saml": [],
"allow_open_registration": true,
"open_reg_email_service_id": 6,
"allow_forever_sessions": true,
"login_attribute": "email"
},
  "apps": [
...

Using DF REST Tester v1.0

POST request to /api/v2/user/session (a login) with the following JSON payload:

{
"email": "my@email.com",
"password": "password",
"remember_me": true
}

Returns a session_token, great.

PUT request to /api/v2/user/session (a refresh) under 1 minute after login with the following URL part:

/api/v2/user/session?session_token=eyJ0eXAiOiJKV1QiLCJh...

Returns a new session_token, great.

PUT request to /api/v2/user/session (a refresh) over 1 minute after login with the following URL part:

/api/v2/user/session?session_token=eyJciOiJIUzI...

Returns the following:

{
  "error": {
	"code": 401,
	"context": null,
	"message": "Token has expired: Session expired. Please refresh your token (if still within refresh window) or re-login.",
	"status_code": 401
  }
}

Per documentation found here: Forever sessions - DreamFactory
As far as I see, my refresh was after DF_JWT_TTL but before DF_JWT_REFRESH_TTL, which is when I should be having to refresh my session token without logging in again. But it just. doesn’t. work.

The conclusion that session refresh doesn’t work, and thus forever session doesn’t work either.

What is the fix?

I see a similar question was asked in the past, but no solution was found:

Not looking good.

Topic		Replies	Views
Problems to refresh a forever session token Authentication & Security	4	3912	September 7, 2016
Token refresh returns 401 Authentication & Security	5	2138	February 17, 2019
Token refresh not working Authentication & Security	3	2127	December 10, 2018
Session Toekn Refresh Authentication & Security	2	1308	May 10, 2019
Session token previously blacklisted on refresh Authentication & Security	5	4658	January 3, 2017

Forever Session not refreshing

Related Topics