Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase session expiration

It looks like Firebase, when they moved from the v2 to v3.x SDKs (and now into v4), decided to remove the option for automatic session expiration in favor of the always-authenticated model.

  • Firebase 3.x - Token / Session Expiration
  • https://groups.google.com/forum/#!topic/firebase-talk/uYMlQny1Jb4

This is a nice feature to offer, but from a cybersecurity perspective, I see some problems as this is the only option for the Firebase SDKs with Firebase-generated tokens such as email and password authentication (some of which are explained well in the linked google group discussion).

The commonly-provided suggestion to call user.signOut() on page exit has some holes. Namely, if the client crashes, then this code is never executed and therefore the strategy falls apart. The "sign out on page load" suggestion also has holes in it:

  1. Forces all users to log in every time the page loads/reloads (not the goal)
  2. As Firebase pushes most everything to the client, there is nothing stopping someone for creating a script that attempts to access a targeted Firebase without having the user.signOut()

I'm looking for a strategy that does a better job, from a cybersecurity perspective, that allows a user to opt in to the "always-authenticated" strategy if he/she so chooses, rather than it being the default (i.e. with a "Remember Me" button).

One strategy I came up with is as follows:

  1. User signs in
  2. Get the generated JWT for that session and write it to Firebase
  3. If the user didn't select "remember me" on sign in, set up an onDisconnect handler that clears the token from the list of that users tokens
  4. In Firebase security rules, ensure that the JWT for the user making the request is in the list of tokens for that user

This feels more secure because the onDisconnect method will still execute even if the browser crashes. But, the JWT is not available as a Firebase rules variable (only the contents of the token)!

In light of these issues/flawed approaches, how can I invalidate a session after the browser closes/crashes (or even after a pre-determined period of time) with a Firebase-generated token?

like image 530
MandM Avatar asked Jul 06 '17 21:07

MandM


People also ask

How long does Firebase session last?

How long does a Firebase Auth session last when the user is offline? Firebase Authentication is based on two tokens: a refresh token that never expires, and an ID token that expires an hour after it's minted and is auto-refreshed by the SDKs.

Does Firebase login expire?

Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs: The user is deleted.

How long do Firebase tokens last?

exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.

What is Firebase persistence?

It means that you can decide on which point you force a user to log out. By default, Firebase Authentication default behavior is to persist a user's session even after the user closes the browser, but that's not the only option you have, you can set firebase authentication to: Persist the auth session indefinitely.


1 Answers

here is a suggestion: The ID token has an auth_time field. This is the time the user authenticated, you can force whatever session length you want. You can enforce that if you validate the token on your server or via database rules using https://firebase.google.com/docs/reference/security/database/#now and auth.token.auth_time. Check https://firebase.google.com/docs/reference/security/database/#authtoken.

You would require the user reauthenticate to access the data. Reauthentication will update the auth_time in the token.

This is a better approach since keeping track of all ID tokens will not scale well and ID tokens expire after an hour and new ones will be refreshed after the user returns to the app but will maintain the same auth_time.

Not sure if this will alleviate your concerns but Firebase is looking into the following features:

  1. The ability to specify persistence for web authentication. This is similar to how sessionOnly auth worked in Firebase 3.x. This will make "Remember Me" functionality easy to implement.
  2. The ability to revoke sessions.
like image 54
bojeil Avatar answered Nov 14 '22 23:11

bojeil