• Announcements

    • Shane D.

      Evernote Business Beta - Spaces   12/20/2017

      We're very excited to announce the public beta of an upcoming rework for Evernote Business! To learn more, go Here
    • Shane D.

      2018 Evernote Webinars   01/04/2018

      To kick off the new year, we're excited to announce our  updated schedule for our series of webinars! Please check the events calendar to see which one works best for you!
    • Shane D.

      Upcoming Forum Change Announcement   02/14/2018

      Hi All! You may be seeing some changes with overall organization and layout of the discussion forums. You can learn more by going to the 'Upcoming Forum Change Announcement' in the 'Community Announcements' sub-forum!  
MagicGear

Persist user authorized status without username/password

Recommended Posts

I am doing a web app using evernote's service. I use OAuth for user authorization, and prefer to:

  1. no login required, once user authorize my web app , user can start to use the service. By these means, my app will use the returned userId(or token) as the identification of the user
  2. Within the authorized duration, user may use the service time to time. I don't want my user do the authorization for each request. So I need to persist the user login status in some way

Barry Jaspan's article described a best practice for persistent login, which I think is good to refer. I would like to adapt it a bit and use in my app.

Here adapted design

1. when user successfully authorized by Evernote OAuth service, my app will issue a cookie to the user

2. the cookie contains the userId and a random token from a large space, the userId and the random number will be stored in my app

3. When a user visit my web app with the cookie, the username and token are looked up in the database.

  • If the pair is present, the user is considered as authenticated. My web app will load the accesstoken and notestore URL. In addtion, a new token is generated, store in database with username, and issue to the user via a new cookie.
  • An invalid pair is regarded as a potential attack, thus will trigger the invalidation of all user token (Jasper did improvement on preventing DOS attack)

​4. If the cookie is not present, redirect the user to authorize, and repeat step 1

Is above solution a good practice, or do you have any other suggestion? Thanks a lot!

  • Like 1

Share this post


Link to post

Evernote isn't intended to be an identity provider - unlike some social networks - because it always forces the user to go through the OAuth flow and doesn't provide the developer with the user's information. However, we we're ok with this type of usage. Please keep in mind that the user's authentication token must be stored securely on your service and the user must be able to logout (which automatically deletes all information you have about the user's account).

Share this post


Link to post