Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should the Web API access token be stored?

There are some similar topics here in Stackflow but I find none of them has answered my question.

ASP.NET Web API 2 is what we use now. I am now able to accept CORS authentication request from my WebAPI. With the access token sent along in the Authorization header (Bearer xxx), I am able to access the resources protected by [Authorize] tags.

The problem is, how can I implement a function similar to a "Remember me" checkbox in the regular login form? All we want is that the user doesn't need to log in again the next time visiting our webpage. Is the access token for one session only? How does WebAPI2 set the expiration of the token? How Can we save some info in the session or use local storage to store such authentication information? When we store this token in the client side, do we need some sort of encryption to protect it?

What is your suggestion in implementing this "Remember me" function?

like image 976
Blaise Avatar asked Nov 26 '13 18:11

Blaise


1 Answers

"The problem is, how can I implement a function similar to a "Remember me" checkbox in the regular login form? "

Save the token in the clientside localStorage when "Remember me" is checked => When the tab/browser is closed the token is still alive and next time you are automatically logged in

Save the token in the clientside session storage when "Remember me" is not checked => Everytime you close a tab/browser the session storage is cleared. Next time you check the token it does not exist. Therefore yo have to login again...

"All we want is that the user doesn't need to log in again the next time visiting our webpage."

See answer above!

Is the access token for one session only?

YES a tab in the browser is a session.

How does WebAPI2 set the expiration of the token?

You set the time when the token expires!

How Can we save some info in the session or use local storage to store such authentication information?

Only store encrypted token on client side never userid/password

When we store this token in the client side, do we need some sort of encryption to protect it?

The token is encrypted on server side then sent to the client for every request. The client does not need being able reading the token. The client must just send it with everry request thats it.

like image 158
Elisabeth Avatar answered Sep 27 '22 23:09

Elisabeth