Increase login session time google with Laravel 4

6

Working with the Google 3.0 API.

My Laravel session expires in 5 years (not to log out). But the Google session has 3 hours, ie if the system is stopped for 3 hours it logs out from Google, but not from the system in Laravel.

What I want is to stay logged in for more than 3 hours on Google. How to do it?

    
asked by anonymous 25.02.2014 / 23:03

1 answer

2

Access token expires in a short time, apparently related to access security. If it is compromised, the access expires in a short time and with it the threat.

But there is the upgrade token , which can be used to update the session and thus generate another access token, contributing to a larger session.

Concept

// fazer operações de login...

// recolher o token de acesso
$_SESSION['token'] = $client->getAccessToken();

// se temos o token de acesso
if (isset($_SESSION['token']) && $_SESSION['token']!='') {

  // definir um novo token de acesso
  $client->setAccessToken($_SESSION['token']);

  /* Descodificar o JSON que guardamos na variável de sessão
   * e passar o mesmo para uma variável na forma de um objecto
   */
  $sessionToken = json_decode($_SESSION['token']);

  /* guardar o token de actualização num cookie com o nome "token",
   * dando-lhe um tempo de vida maior
   */
  setcookie("token", $sessionToken->refresh_token, time()+60*60*24*30);  /* 1 mês de vida */
}

Refresh the session if you have to resort to a new login

When the access token is required, we can check the cookie:

  • If empty , we should request a new access token and a new update token through authentication;
  • If it is not empty , let's tell the client to update the token:

    if isset($_COOKIE['token'] && $_COOKIE['token']!='') {
      $client->refreshToken($_COOKIE['token']);
    }
    

    We're basically updating the access token with the help of the update token again.

Notes:

  • The code shown should be adapted to your scenario.
  • You should note that for security purposes the token you are saving to extend the life of the session should be in the Database instead of a cookie.
  • Although you have not encountered the access token and token token , we can read (English) that update token was created for the purpose of being" super-durable "precisely to avoid walking always including the user in the session renewals:

      

    Short-lived tokens with Long-lived authorizations

         

    Instead of issuing a long lasting token (typically good for a year or unlimited lifetime), the server issues a short-lived access token and a long lived refresh token. This allows you to access the token without having to use the user again, but keeps access tokens limited. This feature was adopted from Yahoo! 'S BBAuth protocol and later its OAuth 1.0 Session Extension.

    What translated:

      

    Short-duration tokens with long-term authorizations

         

    Instead of issuing a long-running token (usually good for a year or unlimited lifetime), the server can issue a short-lived token and a long-term update token. This allows the Client to obtain a new access token without having to re-engage the user, but maintains limited access tokens. This feature was adopted from Yahoo!'s BBAuth protocol and later in your OAuth 1.0 session extension.

This response is an adaptation to an anonymous format of the response given by @hope_industries in SOEN. Consult the same for the practical case that is treated there.

    
26.02.2014 / 20:14