Can't stay logged in on iOS for more than a couple of hours...


#1

I have an app – Ionic 3.20.0, Angular 5.2.10 – which uses JWT for authentication (via angular-jwt 1.1.0) against my web server. Everything works fine unless my app is idle for more than a couple of hours. Then when I try to access a page that requires authentication I get a 401 back from my server.

What’s strange to me is that on Android everything works fine. I can stay logged in for several days at a time. In fact, I don’t recall ever being bumped from a session on Android in the two months since I created the app.

At first I thought it was an issue with Ionic storage perhaps not actually committing my token to the database. So I switched to Native Storage and still got the same problem. So then I changed the way angular-jwt gets my token. I initially had my tokenGetter function pulling from storage via: return storage.get('accessToken'); but I changed things around so that the token is just a variable/property on my Auth service. So now my tokenGetter does: return auth.token; But I still get the same results.

I’m continuing to try to debug this but it seems like my app is just in a weird state when I come back to it after it’s been idle for a couple of hours. Almost like some of the variables and/or objects are trashed. I’m wondering if anybody has seen such a difference in behavior between Android and iOS with regard to session management. Any input would be greatly appreciated.


#2

I’ve created multiple apps with JWT auth and actually never experienced something like this! If it works on Android I guess the expiration date of your JWT is fine; however recently I used a library that was not calculating the date correctly and therefore returned that the token was invalid so perhaps start checking that date as well.

Otherwise, however you use storage/variables, make sure Cordova is loaded once you access the values. If you store the token in like Ionic Storage + SQL there’s really no way that token get’s deleted while the app is in the background!


#3

Thanks for the expiration date idea. I’ll look into that.


#4

Looks like I’ve got it solved! Thanks again for pointing me toward looking at the expiration time. Turns out the Access-Control-Max-Age header was being set to 1 hour. I’m using a Ruby on Rails backend and the JWT library I’m using defaults the header to 1 hour. I’m now explicitly setting it to 30 days and so far, so good.

But now I’ve got to figure out why it wasn’t expiring on Android! I think the Android app may be sending cookies along with the token…

Anyway, thanks again!