Session handling in Ember


#1

Hello All,

How to handle session after login in Ember

Thanks in Advance, Priyanka


#2

Use some addons that handle it. Torii and Simple Auth are best choice. https://github.com/simplabs/ember-simple-auth http://vestorly.github.io/torii/


#3

#4

However, the authenticated states are maintained in service, which you can easily change using ember inspector. And they are deprecating authorization also. How secure is to maintain the states in ember service?


#5

the authenticated states hold only a token, your backend must be ready to validate it and decode that token. Even a basic user password auth must be validate in your backend.

Sorry about the delay, hope you already got your solution.


#6

Thanks for the reply. My backend team is handling it.


#7

Something to remember - nothing client-side can be consider “secure”, so everything needs to be validated by the API any time something requiring validation is done. You can do a few things, like not storing sensitive things like the user’s password in plain text in a cookie or localStorage. But the token needs to be stored somewhere if you want to be able to try to re-establish the session on page refresh (where the service would be reset). The server should reset the token on a timely basis (every X number of minutes) so that if it is compromised the damage can be mitigated. Also, re-require password for sensitive changes (like changing the password, email address) and re-validate that password against the API prior to making those kinds of changes.


#8

Thanks for the suggestions. It makes sense.


#9

In production you can disable the Ember inspector using window.NO_EMBER_DEBUG = true which will disable the inspector from loading.

That said, if a user knows to use Ember Inspector they probably know their way around most of the dev tools in modern browsers so will have access to cookies, network logs, and more. There’s not too much you can do to stop that. Cookies and auth session tokens are fairly easy to grab and share if you know what you’re doing. Your best defense is a short lived session with a refresh token and possibly IP or device verification server side.