Session handling in Ember

parekhpiya2002 · August 16, 2017, 9:29am

Hello All,

How to handle session after login in Ember

Thanks in Advance, Priyanka

heatbr · August 16, 2017, 1:33pm

Use some addons that handle it. Torii and Simple Auth are best choice. GitHub - simplabs/ember-simple-auth: A library for implementing authentication/authorization in Ember.js applications. Torii

broerse · August 16, 2017, 2:32pm

github.com

broerse/ember-cli-blog/blob/master/app/controllers/login.js

import Controller from '@ember/controller';
import { action, set } from '@ember/object';
import { inject as service } from '@ember/service';

export default class LoginController extends Controller {
  @service session;
  @service router;

  @action authenticate(event) {
    const { target } = event;
    let identification = target.querySelector('#username').value;
    let password = target.querySelector('#password').value;
    event.preventDefault();
    this.session
      .authenticate('authenticator:pouch', identification, password)
      .then(() => {
        set(this, 'username', '');
        set(this, 'password', '');
      })
      .catch((reason) => {

This file has been truncated. show original

Chendraayan · May 23, 2018, 12:17pm

However, the authenticated states are maintained in service, which you can easily change using ember inspector. And they are deprecating authorization also. How secure is to maintain the states in ember service?

heatbr · June 4, 2018, 1:57pm

the authenticated states hold only a token, your backend must be ready to validate it and decode that token. Even a basic user password auth must be validate in your backend.

Sorry about the delay, hope you already got your solution.

Chendraayan · June 21, 2018, 12:21pm

Thanks for the reply. My backend team is handling it.

localpcguy · June 21, 2018, 2:55pm

Something to remember - nothing client-side can be consider “secure”, so everything needs to be validated by the API any time something requiring validation is done. You can do a few things, like not storing sensitive things like the user’s password in plain text in a cookie or localStorage. But the token needs to be stored somewhere if you want to be able to try to re-establish the session on page refresh (where the service would be reset). The server should reset the token on a timely basis (every X number of minutes) so that if it is compromised the damage can be mitigated. Also, re-require password for sensitive changes (like changing the password, email address) and re-validate that password against the API prior to making those kinds of changes.

Chendraayan · June 26, 2018, 10:53am

Thanks for the suggestions. It makes sense.

rtablada · June 27, 2018, 5:56pm

In production you can disable the Ember inspector using window.NO_EMBER_DEBUG = true which will disable the inspector from loading.

That said, if a user knows to use Ember Inspector they probably know their way around most of the dev tools in modern browsers so will have access to cookies, network logs, and more. There’s not too much you can do to stop that. Cookies and auth session tokens are fairly easy to grab and share if you know what you’re doing. Your best defense is a short lived session with a refresh token and possibly IP or device verification server side.

Topic		Replies	Views
Error 401 handling in simple ember auth	0	1269	February 4, 2016
What's everyone using for client side Auth these days?	1	921	August 30, 2014
Handle Anonymous User Authorization & Session Design	0	1727	May 16, 2016
What is the best way to handle user authentication with ember?	4	2331	July 28, 2014
Introducing Torii: Authentication primitives for Ember apps	3	7770	June 18, 2014

Session handling in Ember

Related Topics