Jump to content

Welcome! You're currently a Guest.

If you'd like to join in the Discussion, or access additional features in our forums, please sign in with your Evernote Account here. Have an Evernote Account but forgot your password? Reset it! Don't have an account yet? Create One! You'll need to set your Display Name before your first post.

Photo

Persist user authorized status without username/password

oauth

  • Please log in to reply
1 reply to this topic

#1 MagicGear

MagicGear

  • Pip
  • Title: Member
  • Group: Members
  • 1 posts

Posted 30 May 2012 - 04:56 AM

I am doing a web app using evernote's service. I use OAuth for user authorization, and prefer to:
  • no login required, once user authorize my web app , user can start to use the service. By these means, my app will use the returned userId(or token) as the identification of the user
  • Within the authorized duration, user may use the service time to time. I don't want my user do the authorization for each request. So I need to persist the user login status in some way

Barry Jaspan's article described a best practice for persistent login, which I think is good to refer. I would like to adapt it a bit and use in my app.

Here adapted design
1. when user successfully authorized by Evernote OAuth service, my app will issue a cookie to the user
2. the cookie contains the userId and a random token from a large space, the userId and the random number will be stored in my app
3. When a user visit my web app with the cookie, the username and token are looked up in the database.
  • If the pair is present, the user is considered as authenticated. My web app will load the accesstoken and notestore URL. In addtion, a new token is generated, store in database with username, and issue to the user via a new cookie.
  • An invalid pair is regarded as a potential attack, thus will trigger the invalidation of all user token (Jasper did improvement on preventing DOS attack)
​4. If the cookie is not present, redirect the user to authorize, and repeat step 1


Is above solution a good practice, or do you have any other suggestion? Thanks a lot!

#2 Julien Boedec

Julien Boedec

  • Title: Browncoat
  • Group: Evernote Employee
  • 408 posts

Posted 31 May 2012 - 10:44 PM

Evernote isn't intended to be an identity provider - unlike some social networks - because it always forces the user to go through the OAuth flow and doesn't provide the developer with the user's information. However, we we're ok with this type of usage. Please keep in mind that the user's authentication token must be stored securely on your service and the user must be able to logout (which automatically deletes all information you have about the user's account).





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Clip to Evernote