Persist user authorized status without username/password

2 posts in this topic

I am doing a web app using evernote's service. I use OAuth for user authorization, and prefer to:

  1. no login required, once user authorize my web app , user can start to use the service. By these means, my app will use the returned userId(or token) as the identification of the user
  2. Within the authorized duration, user may use the service time to time. I don't want my user do the authorization for each request. So I need to persist the user login status in some way

Barry Jaspan's article described a best practice for persistent login, which I think is good to refer. I would like to adapt it a bit and use in my app.

Here adapted design

1. when user successfully authorized by Evernote OAuth service, my app will issue a cookie to the user

2. the cookie contains the userId and a random token from a large space, the userId and the random number will be stored in my app

3. When a user visit my web app with the cookie, the username and token are looked up in the database.

  • If the pair is present, the user is considered as authenticated. My web app will load the accesstoken and notestore URL. In addtion, a new token is generated, store in database with username, and issue to the user via a new cookie.
  • An invalid pair is regarded as a potential attack, thus will trigger the invalidation of all user token (Jasper did improvement on preventing DOS attack)

​4. If the cookie is not present, redirect the user to authorize, and repeat step 1

Is above solution a good practice, or do you have any other suggestion? Thanks a lot!

1 person likes this

Share this post

Link to post

Evernote isn't intended to be an identity provider - unlike some social networks - because it always forces the user to go through the OAuth flow and doesn't provide the developer with the user's information. However, we we're ok with this type of usage. Please keep in mind that the user's authentication token must be stored securely on your service and the user must be able to logout (which automatically deletes all information you have about the user's account).

Share this post

Link to post