domain Have maximum size of 4096K Usually gets deleted when the browser is closed or when expiration date is set ! document.cookie = “auth_key=12345678; expires=….”
login on the db resource = resource_class.find_for_database_authentication(login: params[:data][:login]) raise "Invalid login or password" if resource.nil? ! # If login is found, continue with password verification password_valid = resource.valid_password?(params[:data][:password]) raise "Invalid login or password" unless password_valid ! # Create authentication information create_authentication!(resource) ! # Render the response render json: resource, serializer: Api::SessionSerializer, status: 201 # created end
name: robert id: 4, name: sean id: 5, name: roger id: 1, name: giovanni id: 2, name: john id: 3, name: robert id: 4, name: sean id: 5, name: roger Logged in as Giovanni, John is admin
ping to server 1st - Not a concern => store authorization on client ! 2. Are many of your users access your app from public/shared pc? - Quick Session timeout - Disable ‘remember me’ feature …
(e.g. credit cards, etc) - Do not store it on client. ever. - https for transaction is a must! - 3rd party payment tools ! 4. Are your applications have separate admin area to control the whole application? - Use separate domain for the admin area. Or better yet, different server too - Obsfucate the url. http://app.com/xyzabc rather than http:// app.com/admin …