• Announcements

    • Shane D.

      Announcing 'Spaces' for Evernote Business!   02/27/2018

      Hi All, We're very excited to announce the launch of Spaces for Evernote Business! I invite you to find more details and learn more in our most recent Community Announcement! 
    • Shane D.

      Code of Conduct   03/26/2018

      Hi All, The updated version of the Code of Conduct has been implemented, and you will need to accept those terms before proceeding. If you would like to review the Code of Conduct, you can do so Here
    • Shane D.

      Update to Evernote Subscription Plans   04/12/2018

      Hi All, We've made some updates to our Evernote subscription plans. To learn more, please see the 'Update to Evernote Subscription Plans' thread in the Community Announcements forum, or you can go here.

Persist user authorized status without username/password

Recommended Posts

I am doing a web app using evernote's service. I use OAuth for user authorization, and prefer to:

  1. no login required, once user authorize my web app , user can start to use the service. By these means, my app will use the returned userId(or token) as the identification of the user
  2. Within the authorized duration, user may use the service time to time. I don't want my user do the authorization for each request. So I need to persist the user login status in some way

Barry Jaspan's article described a best practice for persistent login, which I think is good to refer. I would like to adapt it a bit and use in my app.

Here adapted design

1. when user successfully authorized by Evernote OAuth service, my app will issue a cookie to the user

2. the cookie contains the userId and a random token from a large space, the userId and the random number will be stored in my app

3. When a user visit my web app with the cookie, the username and token are looked up in the database.

  • If the pair is present, the user is considered as authenticated. My web app will load the accesstoken and notestore URL. In addtion, a new token is generated, store in database with username, and issue to the user via a new cookie.
  • An invalid pair is regarded as a potential attack, thus will trigger the invalidation of all user token (Jasper did improvement on preventing DOS attack)

​4. If the cookie is not present, redirect the user to authorize, and repeat step 1

Is above solution a good practice, or do you have any other suggestion? Thanks a lot!

  • Like 1

Share this post

Link to post

Evernote isn't intended to be an identity provider - unlike some social networks - because it always forces the user to go through the OAuth flow and doesn't provide the developer with the user's information. However, we we're ok with this type of usage. Please keep in mind that the user's authentication token must be stored securely on your service and the user must be able to logout (which automatically deletes all information you have about the user's account).

Share this post

Link to post