Token based authentication

Adil

DevBest CEO
May 28, 2011
1,278
718
I am using Google Cloud Endpoints for my API but I'd like to use something a bit more 'generic' (GCE only allows for authenticating against google accounts). I've decided upon using a token to authenticate users.
My question is: should I use a system in which tokens expire after a certain amount of time? Or should tokens be permanent?
 

Khalil

IDK
Dec 6, 2011
1,642
786
I'd feel safer if I knew the application I'm using makes sure that my authentication tokens expire after a certain period of time.

One question though, if you do make auth tokens expire, will they get destroyed only after the user logs out then set a new token after logging in again, or while the user is logged in and have him forced logged out and then have him login again and so on..?
 

Adil

DevBest CEO
May 28, 2011
1,278
718
They will be used for authorization so the user does not need to repeatedly log in/authenticate themselves when accessing protected resources (e.g /books/new)
I generate them via python's in-built uuid module:
Code:
def generate_auth_token():
    return uuid.uuid4()
uuid4() provides enough randomness to make brute force attacks extremely difficult so it's pretty safe.
 

Users who are viewing this thread

Top