- no login required, once user authorize my web app , user can start to use the service. By these means, my app will use the returned userId(or token) as the identification of the user
- Within the authorized duration, user may use the service time to time. I don't want my user do the authorization for each request. So I need to persist the user login status in some way
Barry Jaspan's article described a best practice for persistent login, which I think is good to refer. I would like to adapt it a bit and use in my app.
Here adapted design
1. when user successfully authorized by Evernote OAuth service, my app will issue a cookie to the user
2. the cookie contains the userId and a random token from a large space, the userId and the random number will be stored in my app
3. When a user visit my web app with the cookie, the username and token are looked up in the database.
- If the pair is present, the user is considered as authenticated. My web app will load the accesstoken and notestore URL. In addtion, a new token is generated, store in database with username, and issue to the user via a new cookie.
- An invalid pair is regarded as a potential attack, thus will trigger the invalidation of all user token (Jasper did improvement on preventing DOS attack)
Is above solution a good practice, or do you have any other suggestion? Thanks a lot!