> > > returned 1, 2, 3, 4, .... for the browser, and 1, 1, 1, 1, .... for my > curl-JWT accesses. If I wait long enough, the token expires as expected > (not very long for the default), but before it expires it acts like the > session stays around to keep me "logged in", but also like the session is > new every time for the tcount variable. >
When you make an HTTP request to web2py, it sends back a session cookie. Browsers retain and keep sending back the session cookie (throughout the course of a browser session), so web2py can continue to identify the browser with a particular session. Be default, curl does not retain cookies and send them back to the remote server on subsequent requests, so web2py has no way of associating each curl request with the same session. JWT auth does not work via cookies. Rather, the JWT goes in the HTTP request headers. So, with curl, you are sending the JWT to web2py on every request, and web2py is able to validate the JWT on each request (the JWT can be validated based only on its own data -- nothing from a server-side session is needed to validate it). web2py, therefore, is not "keeping you logged in" -- you are really re-authenticating on every single request by sending the JWT in the request headers. By the way, you can use curl to store and return cookies using the --cookie and --cookie-jar options. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
