Authenicate Member

 

Overview

The Persistent Login functionality allows you to add a "Remember Me" option on the member login form. Persistent Login is independent of the application session settings and is more secure (and user-friendly) than simply setting a long application session lifetime.

The administrator can control how long member logins are remembered, before a member will have to enter their credentials again.

In the future, we provide additional security by attempting to detect unauthorized re-use of tokens.

 

Implementation

Authentication

The following method should be used for member login. It will return a member token as well as the persistent login token if requested by passing 'true' to <persistentlogin> element in the request body.

The persistent one should be saved to member's cookie for reuse in future site accesses.

POST /getmembertoken/{serviceToken} 

Parameter Type Status
ServiceToken String Mandatory
Request Body XML Mandatory

 

Request body

<requestauthenticatemembergettoken>

    <username>username</username>

    <password>password</password>

    <persistentlogin>true</persistentlogin>

</requestauthenticatemembergettoken>

Request elements

<username>username</username> Username
<password>password</password> Password
<persistentlogin>true</persistentlogin> Return a persistent login token

Response

<responsemembertoken>

    <membertoken value="hiwfg987fsg9d8gs9797sf" expiry="2016-10-06T12:46:56.68" utcoffset="11" />

    <persistentlogintoken token="aidfaiodfa867fadakdhakkwehrt" expiry="2016-11-06T09:46:56.68" utcoffset="11" />

    <error>

        <code></code>

        <description></description>

    </error>

</responsemembertoken>

 

 

Validate Token

This method should be used to check the login token if the persistent token is found in the user cookie.

The `renewexpiry` & `generatememberToken` need to be set to `true` to generate another memeber token as well as refresh the persistent login token expiry.

POST /validatepersistentlogintoken/{serviceToken} 

Parameter Type Status
ServiceToken String Mandatory
Request Body XML Mandatory

 

Request body

<requestvalidatepersistentlogintoken>

    <token>jkhfgskfd8g9sd7fg8s</token>

    <renewexpiry>true</renewexpiry>

    <generatememberToken>true</generatememberToken>

</requestvalidatepersistentlogintoken>

Request elements

<token>true</token> Persistent login token
<renewexpiry>true</renewexpiry> Update the persistent login token expiry 
<generatememberToken>true</generatememberToken> Return a member token

Successful Response

<responsemembertoken>

     <membertoken>jkhfgskfd8g9sd7fg8s</membertoken>

    <persistentlogintoken>aliksdfog87668r5tk3</persistentlogintoken>

    <error></error>

</responsemembertoken>

 

 

ExpireToken

This method should be called if a member logouts. It expires the persistent login token.

Note: if a member or administrator changes a password, all related persistent login tokens will expire automatically. 

 

POST /expirepersistentlogintoken/{serviceToken} 

Parameter Type Status
ServiceToken String Mandatory
Request Body XML Mandatory

 

Request body

<requestexpirePersistentlogintoken>

     <token>aliksdfog87668r5tk3</token>

</requestexpirePersistentlogintoken>

Request elements

<token>aliksdfog87668r5tk3</token> Persistent login token

Successful Response

<ResponseCode>

     <code></code>

     <error></error>

</ResponseCode>

 


Guidelines

Interface

Golden rule: Never pre-populate your login form with password. If Google wants to auto complete this then let it but never code your applications to do this.

Scenario API Browser
If a user without a "login token" successfully logs in and "remember me" is checked Call getmembertokenwith persistentlogin enabled get a new "login token". The "login token" is added as a cookie with expiry, the "username" is stored as a cookie without expiry. 
If a user has a valid  "login token" Call validatepersistentlogintoken in when they revisit site. There is a parameter to extend the expiry date.The existing "login token" is updated with a revised expiry.  The  "login token" cookie expiry is updated.
If a user has a "login token" and fails to validate Call validatepersistentlogintoken, the member is not logged in when they revisit site. Delete the "login token" and "username" cookies. User will need to login again. "Username" cookie cannot be used on the login form (it may have changed in the admin) .
If there are no "login token" (never existed or the cookie has expired)   Populate the "username" in the login form only, if this exists as a cookie. 
Logout We expire all "login token" for the member by calling expirepersistentlogintoken. Logging out clears the  "login token" cookies."

 

Token and Cookie Expiry

"login token" cookie is set to expire at a configured time, use the UTCoffset to store the correct time in the cookie.

"username" cookie doesn't need an expiry as it can be used if "login token" expires
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.