tags:

views:

161

answers:

1
Q: 

Does the token generated by Googls AuthSub change when a user logs into your application for the 2nd or 3rd time and how would you store information (mySQl) against for that token if it changes?

Im trying to build and automated log in using Googles authSub, but I need to store data for the users the log in.

... and basically I don't get it. Should the token from Google change the 2nd time a user logs in, that user looses his / her info and you don't get any info like a userId that you can use to store information against it.

Unless the token does not change and you can store info against that token.

See http://code.google.com/apis/accounts/docs/AuthSub.html#WorkingAuthSub point 5

A: 

There are two kinds of token; I'm going to assume that you're not talking about the single-use token obtained from a call to AuthSubRequest, but are talking about the long-lived session token obtained from AuthSubSessionToken

The page explicitly says that

Session tokens do not expire.

So no, the token shouldn't become invalid just because a user logs in again.

On the other hand, if you ignore your existing token and request a new one - yes, you'll end up with a different token.

There is one thing (other than your app calling AuthSubRevokeToken, which of course will result in the token being invalidated) that can result in the token becoming invalid: the user can visit the Change authorized websites page and choose to manually invalidate a token. If that happens, all you can do is throw out the old one and request a new token.

James Polley  2010-01-01 22:07:22
So at the end of the day its not really a secure way of handling user authentication. thanks.
Derrick  2010-01-01 22:12:13
What do you mean by "secure way"? What do you mean by "User authentication"? authsub isn't intended to be used for authentication; it's used for authorization - it authorizes your app to access the user's data. If all you're trying to do is authenticate the user, you want Federated Login (http://code.google.com/apis/accounts/docs/OpenID.html)
James Polley  2010-01-01 22:17:37
Thanks I know, Ive been battling with Federated login for the past three days now - its far too complex, and that's why I'm looking for an alternate method.
Derrick  2010-01-01 22:51:45

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication