Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refresh session cookies #194

Open
savlevich opened this issue Feb 10, 2021 · 3 comments
Open

refresh session cookies #194

savlevich opened this issue Feb 10, 2021 · 3 comments

Comments

@savlevich
Copy link

savlevich commented Feb 10, 2021
edited
Loading

I would like to set the session lifetime for the client to 6 hours. And if the user logged in and did not take any action during this time, then log out him and redirect him to the login page. But if the user has been making requests to the server with a valid token for 6 hours, I would like to update this token and start the token lifetime again.

If I follow the instructions according to the firebase session cookies documentation found here https://firebase.google.com/docs/auth/admin/manage-cookies?hl=en

I can generate the session token on the server in exchange for a idToken and return the session ID to the client as a cookie. And after that we only use the session token between client and server as cookie, We can also check if the session has expired using verifySessionCookie.

but i can't figure out a way of refreshing the session cookie without telling the user to sign in again.
could you help me understand how this can be implemented?
@rpressiani
Copy link

Any news on this?

@kasvith
Copy link

kasvith commented May 19, 2023

2023 and still nothing...whats firebase doing

@francescovenica
Copy link

francescovenica commented Oct 24, 2023
edited
Loading

I have the same issue, I found a kind of solution but I'm not sure it is secure enough and I'm not sure is a valid way, I never tried this in prod but just play with it locally but, maybe it can help:

    const idToken = req.cookies.session;
    const session = await auth().verifySessionCookie(idToken, true);
    if (session) {
      const customToken = await auth().createCustomToken(session.uid);

      const response = await fetch(
        `${GOOGLE_API}:signInWithCustomToken?key=${process.env.NEXT_PUBLIC_API_KEY}`,
        {
          method: "POST",
          cache: "no-cache",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ token: customToken, returnSecureToken: true }),
        },
      );

      const result = await response.json();
      const sessionCookie = await auth().createSessionCookie(result.idToken, {
        expiresIn,
      });

      setCookie(res, "session", sessionCookie, {
        ...cookieOptions,
        maxAge: expiresIn,
      });

      return res.json({ session, customToken, sessionCookie });
    }

I use this in a refresh endpoint so you call that whenever you want to refresh the cookie

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rpressiani @kasvith @savlevich @francescovenica