Sunday, February 1, 2015

Cookieless Sessions - Automatically Login Your Users

The default Bedrock persistence store, implemented via the $session object has the ability to create a token (session identifier) you can use to automatically log your users into your applications.

This is a useful feature for resetting passwords and perhaps creating convenience links for fast access to application specific pages that would normally require a user to login to the application.  Here's how it works...

Suppose your user forgets their password and you've implemented login sessions using Bedrock's default persistence storage object $session.

First, let's create a new user.

<null $session.register('fred', 'd1n0', 'Fredericko', 'Flintstone', 'fred@openbedrock.net')>

We now have a registered user who can login to the application with a username of fred and a password of d1n0.

<try>
  <null $session.login('fred', 'd1no0')>
<catch>
  Please try again!
</try>

Once logged in, Fred will have an active session with all the rights and privileges that your application bestows upon logged in users.   Which is to say, you define what users can and can't do.

Now suppose that Fred forgets his password because he was hit on the head by a rock at Mr. Slate's quarry.  Not so hard to imagine since Fred is probably day dreaming while he's moving megalithic rocks into place at that new fangled Stonehenge project (which of course he thinks will never catch on!).

Applications typically allow users to enter their username or password in order to recover or reset their password.  A well established pattern is to send an email to the user's registered email address with a link that sends them to a page where they can change their password.  This is typically done by providing a single use or time boxed token that allows the user to access their account for the sole purpose of changing their password.  So how do we do this with Bedrock sessions?

First we create a temporary login session using the $session.create_temp_login_session() method.

<try>
  <null:token $session.create_temp_login_session('fred', '15m')>
  <null $session.cookieless_session($token)>
<catch>
  Invalid user!
</try>

Assuming the user exists and we have not thrown an exception, we are now logged in as the user and have access to his email address (if you've set that during the call to the $session.register() method as I did above).  We can now send the user an email with a link to a page that allows them to reset their password.  The link will  include our temporary session token that will expire in 15 minutes.

<plugin:Mail localhost 60>

<null $Mail.to($session.email)>
<null $Mail.from('do-not-reply@www.openbedrock.net')>
<null $Mail.subject('Reset your password')>
<null $Mail.content_type('text/html')>

<sink:message>
Click here to reset your password:
<a href="http://www.openbedrock.net/reset_password.roc?session=<var token>">http://www.openbedrock.net/reset_password.roc?session=<var $token></a>
</sink>

<null $Mail.sendmail($message)>

This a well established pattern and the Bedrock session manager supports it as well.  Whether or not sending login tokens to user's email address is a secure method is debatable, but presumably sending an email to the owner of the account makes some sense.  We can immediately kill the session, making our token effectively a single use token.

<null $session.logout()>

Using this pattern we can also send links to users with valid login tokens when we want to allow them to quickly access portions of the application without logging in.  The pattern is exactly the same.  If we want to allow the user to remain logged in and maintain session state using a valid session cookie, Bedrock 2.4.1-10 now provides a new flag to the $session.cookieless_session() method that tells the session manager to turn the session into a persistent cookie based session, making the method's name somewhat of a misnomer.

<null $session.cookieless_session($input.session, 1)>

In effect, we use the $session.cookieless_session() method simply to inject the session token, forcing Bedrock to log the user in with the given session identifier.  Bedrock's session manager then sends the browser a cookie with the new session identifier and expire time defined in your session manager's configuration section.

To learn more about some of these techniques and methods see the links below:




No comments:

Post a Comment

Feel free to leave a helpful comment. Nastiness is unbecoming. Spam will be promptly deleted.