0

I'm curious what the best means to implement "remember me" functionality would be when writing a client for a REST API.

I'm responsible for both the browser client (being done in angularjs) as well as the server.

One thing that occurs to me is to store auth tokens in a cookie, and simply have angularjs pull those when the app launches and attempt to use them to authenticate. I'm not sure if this would be considered insecure or just a bad idea...

Any tips on this would be hugely appreciated. I'm pretty much stumped.

jacheson
  • 1,303
  • 2
  • 12
  • 16
  • Storing credentials on client side is independent of whether you are talking to a REST API, database, HTTP API etc., right? – jordan May 09 '14 at 01:52

2 Answers2

1

I've personally not done remember me using REST, but I am currently using a cookie for authenticating the REST calls. Basically the cookie stores a hashed username/password that I pass to the server.

I see no reason why this same cookie couldn't be used to implement some kind of remember me function. You just have to make sure that you are using a HTTPS connection to create the cookie and that you use a secure cookie. Implementing some kind of control system where a user that has authenticated using remember-me must re-authenticate using full username/password when trying to perform things like changing passwords etc would help to tighten security as well.

JamesENL
  • 6,400
  • 6
  • 39
  • 64
0

You can just have an encrypted username and password stored in a cookie and can have a resource that takes in these values and verifies whether they have valid credentials or not,also the cookie should have a time after which they expire also you can have different states returned by this resource like logged_in ,identified etc which you can use based on your requirements.

arnabmitra
  • 903
  • 9
  • 19