It looks like Firebase, when they moved from the v2 to v3.x SDKs (and now into v4), decided to remove the option for automatic session expiration in favor of the always-authenticated model.
This is a nice feature to offer, but from a cybersecurity perspective, I see some problems as this is the only option for the Firebase SDKs with Firebase-generated tokens such as email and password authentication (some of which are explained well in the linked google group discussion).
The commonly-provided suggestion to call user.signOut()
on page exit has some holes. Namely, if the client crashes, then this code is never executed and therefore the strategy falls apart. The "sign out on page load" suggestion also has holes in it:
user.signOut()
I'm looking for a strategy that does a better job, from a cybersecurity perspective, that allows a user to opt in to the "always-authenticated" strategy if he/she so chooses, rather than it being the default (i.e. with a "Remember Me" button).
One strategy I came up with is as follows:
This feels more secure because the onDisconnect
method will still execute even if the browser crashes. But, the JWT is not available as a Firebase rules variable (only the contents of the token)!
In light of these issues/flawed approaches, how can I invalidate a session after the browser closes/crashes (or even after a pre-determined period of time) with a Firebase-generated token?
How long does a Firebase Auth session last when the user is offline? Firebase Authentication is based on two tokens: a refresh token that never expires, and an ID token that expires an hour after it's minted and is auto-refreshed by the SDKs.
Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs: The user is deleted.
exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.
It means that you can decide on which point you force a user to log out. By default, Firebase Authentication default behavior is to persist a user's session even after the user closes the browser, but that's not the only option you have, you can set firebase authentication to: Persist the auth session indefinitely.
here is a suggestion: The ID token has an auth_time field. This is the time the user authenticated, you can force whatever session length you want. You can enforce that if you validate the token on your server or via database rules using https://firebase.google.com/docs/reference/security/database/#now and auth.token.auth_time. Check https://firebase.google.com/docs/reference/security/database/#authtoken.
You would require the user reauthenticate to access the data. Reauthentication will update the auth_time in the token.
This is a better approach since keeping track of all ID tokens will not scale well and ID tokens expire after an hour and new ones will be refreshed after the user returns to the app but will maintain the same auth_time.
Not sure if this will alleviate your concerns but Firebase is looking into the following features:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With