3

I am working on an application that requires users to log in before they can use it. Users should only be able to log in when connected to the internet. When a user logs in, a token should be stored on the device, allowing for offline use of the application without logging in again. I basically want to check if this token is present and take the user to the application if it is or the login screen otherwise. Additionally this token should expire after a while.

The question is if there is a way to store a token, that will expire after, let's say, 24 hours, without the user being able to tamper with it or trick the system in any way (e.g. if the token is timestamped and the user changes the device time). The token should expire without the user being connected to the internet, so that the user won't be able to use the application forever without reauthenticating every once in a while.

I've not been able to find an answer to this question although it seems simple enough. I've looked into technologies such as OAuth and NSHTTPCookie, but these seem concerned with online authentication whereas I am trying to authenticate the user in an offline setting.

Slick Vick
  • 55
  • 6
  • Doable but have some question. Are you going to use the stored token to send on the server while connected to the network? You can use Keychain for saving credentials & save last time login time in Userdeafult (which suits you.). Before next login compare last login time with 24 hrs.If less than yes allow access othewise delete credential from Keychain. – Gagan_iOS Sep 08 '17 at 10:19
  • Thank you for the reply. No, I will not be reauthenticating with the server until the token has expired. The token, which has been signed by the server, is used to authenticate and authorize the user for the 24 hours. Even if the user has internet access I do not want to connect to the server if a valid token is present. – Slick Vick Sep 08 '17 at 10:31
  • Great go for Keychain. Best & Secure. – Gagan_iOS Sep 08 '17 at 10:58
  • To enforce time stamp, token can be a digitally signed JWT where one of the claims is an expiry time. JWT is signed server side with private key, verified client side with public key. Verification phase includes checking expiry against clock. Assuming user does not tamper with clock or public key, should work I think. – TheGreatContini Sep 08 '17 at 11:15
  • That is my only concern, that the user tampers with the clock. I consider it a huge security hole if a user can simply set the time back to extend their session. This is where I would get the time from the server that issued the token, but that requires the user to be connected to the internet. I was hoping iOS had a way of marking the token as expired for me to avoid this problem. – Slick Vick Sep 08 '17 at 11:31

1 Answers1

0

You can use keychain, this will be the safest option.

you can use "SwiftKeychainWrapper"

When user authenticates >> save token to keychain and timestamp.

let success: Bool = KeychainWrapper.standard.set("TOKEN", forKey: "authKey")
let success: Bool = KeychainWrapper.standard.set("TIMETAMP", forKey: "timeKey")

For offline authentication user key and timestamp combo to check whether to give user access... 

let authToken: String? = KeychainWrapper.standard.string(forKey: "authKey")
let timeToken: String? = KeychainWrapper.standard.string(forKey: "timeKey")

after time is up just remove from keychain...

Abhishek
  • 454
  • 3
  • 9
  • What should I compare the timestamp to? If I compare it to the device time, wouldn't the user be able to simply put the clock back to extend their session? Connecting to a server to get the time is not an option. – Slick Vick Sep 08 '17 at 11:34
  • yeah thats hard to tackle, so has many posts regarding this... you can make your own system considering local time, server time(for first auth), carrier time, CPU time(resets when system reboots) and OS notification....you can block user if you find something funny... thing is there is no straight solution for this problem.... you can refer below SO posts https://stackoverflow.com/questions/34627791/accurate-time-detection-while-offline https://stackoverflow.com/questions/23801484/ios-time-change-notification-and-previous-time – Abhishek Sep 08 '17 at 16:21