Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Session management with Firebase?

Tags:

I am building a basic webapp using Firebase that requires authentication and session handling. Going over the docs for Firebase Auth, I decided to use the email/password option over the Facebook login.

Upon successful login, we get a token that could be used again for logging in when the page refreshes or on a new tab using auth(). But, for that we would need to save the token somewhere on the client side. Going through the source code for Firefeed which implements auth and session handling, the token is saved in the localStorage of the user's browser.

How secure is this approach? Since localStorage data would be visible to anyone using the browser. Is there any better alternative to this?

like image 626
zodvik Avatar asked Dec 30 '12 19:12

zodvik

People also ask

What is session in Firebase?

Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token.

How do I find sessions in Firebase?

These events may be helpful in this case when you wish to find the time spent/duration of sessions : first_open, user_engagement, session_start etc. Hope this helps. Show activity on this post. What you can do is, start counting after the app is opened and stop the counting after the app is closed.

How long is a session in Firebase?

By default, a session ends (times out) after 30 minutes of user inactivity. There is no limit to how long a session can last.

How long do Firebase tokens last?

The Firebase Admin SDK has a built-in method for creating custom tokens. At a minimum, you need to provide a uid , which can be any string but should uniquely identify the user or device you are authenticating. These tokens expire after one hour.

1 Answers

The tokens returned by the Simple Login are time-bound, user-specific tokens. If compromised, they will at worst allow an attacker to impersonate that user for a limited period of time. They do not contain the user's password or other sensitive data.

localstorage can only be accessed by Javascript on the host domain from which it was saved, so other sites you visit will have no access to it (assuming the browser or your site haven't been compromised, but if they have, all bets are off...)

So, short answer, this approach is quite secure.

like image 166
Andrew Lee Avatar answered Sep 17 '22 05:09

Andrew Lee
Sign in to Comment

Related questions

How can I stop cURL from using 100 Continue?
Writing to HDFS from Java, getting "could only be replicated to 0 nodes instead of minReplication"
Does the finally block execute if the thread running the function is interrupted?
Multithreading in JavaFX hangs the UI
I want to change actionbar icon size
Jam vs Bower, what's the difference?
How to save MATLAB figure as JPEG using saveas() without the image coming off badly?
How to auto-adjust text size on a multi-line TextView according to the view max dimensions?
Batch file to move files to another directory
C struct hack at work
JSON.stringify converting Infinity to null
Is it possible to use the Gradle build system for Android with Eclipse?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!