How should the Web API access token be stored?

There are some similar topics here in Stackflow but I find none of them has answered my question.

ASP.NET Web API 2 is what we use now. I am now able to accept CORS authentication request from my WebAPI. With the access token sent along in the Authorization header (Bearer xxx), I am able to access the resources protected by [Authorize] tags.

The problem is, how can I implement a function similar to a "Remember me" checkbox in the regular login form? All we want is that the user doesn't need to log in again the next time visiting our webpage. Is the access token for one session only? How does WebAPI2 set the expiration of the token? How Can we save some info in the session or use local storage to store such authentication information? When we store this token in the client side, do we need some sort of encryption to protect it?

What is your suggestion in implementing this "Remember me" function?

Answers


Your authentication provider should give you the functionality for doing this. This is very simple to do if you use the ASP.Net Membership provider:

FormsAuthentication.RedirectFromLoginPage(strUserName, true);

The "true" above, sets a persistant cookie.

When you use CORS and send the authentication cookie to your WebApi, the WebApi doesn't care whether the authentication is from an old "Remember me" cookie or from a fresh login. All it cares about is that the cookie value passed in the Authorization header is valid.

As for encryption of the cookie, this is also something your authentication provider should give you out of the box.


"The problem is, how can I implement a function similar to a "Remember me" checkbox in the regular login form? "

Save the token in the clientside localStorage when "Remember me" is checked => When the tab/browser is closed the token is still alive and next time you are automatically logged in

Save the token in the clientside session storage when "Remember me" is not checked => Everytime you close a tab/browser the session storage is cleared. Next time you check the token it does not exist. Therefore yo have to login again...

"All we want is that the user doesn't need to log in again the next time visiting our webpage."

See answer above!

Is the access token for one session only?

YES a tab in the browser is a session.

How does WebAPI2 set the expiration of the token?

You set the time when the token expires!

How Can we save some info in the session or use local storage to store such authentication information?

Only store encrypted token on client side never userid/password

When we store this token in the client side, do we need some sort of encryption to protect it?

The token is encrypted on server side then sent to the client for every request. The client does not need being able reading the token. The client must just send it with everry request thats it.


Need Your Help

Can Visual Studio 2005 wsdl.exe create proxy methods with generic parameters?

visual-studio wsdl.exe

The proxy methods that I am seeing generated for methods that have generics for parameters like List Of <T> are getting converted to arrays in the proxy methods. I am not sure what the proble...

assets:precompile stack level too deep

ruby-on-rails-3

I'm trying to have success on running the task rake assets:precompile but I have the following error