On Saturday, November 18, 2017 at 4:50:43 AM UTC-8, Anthony wrote: > > >> returned 1, 2, 3, 4, .... for the browser, and 1, 1, 1, 1, .... for my >> curl-JWT accesses. If I wait long enough, the token expires as expected >> (not very long for the default), but before it expires it acts like the >> session stays around to keep me "logged in", but also like the session is >> new every time for the tcount variable. >> > > When you make an HTTP request to web2py, it sends back a session cookie. > Browsers retain and keep sending back the session cookie (throughout the > course of a browser session), so web2py can continue to identify the > browser with a particular session. Be default, curl does not retain cookies > and send them back to the remote server on subsequent requests, so web2py > has no way of associating each curl request with the same session. > > Okay, that's pretty clear. The counter was a just an experiment.
> JWT auth does not work via cookies. Rather, the JWT goes in the HTTP > request headers. So, with curl, you are sending the JWT to web2py on every > request, and web2py is able to validate the JWT on each request (the JWT > can be validated based only on its own data -- nothing from a server-side > session is needed to validate it). web2py, therefore, is not "keeping you > logged in" -- you are really re-authenticating on every single request by > sending the JWT in the request headers. > > By the way, you can use curl to store and return cookies using the > --cookie and --cookie-jar options. > > Anthony > Thanks! You have both depth and breadth in the topics around here. /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
