1

Please help!

Short question: I try to login ParseUser with session token like this:

ParseUser.becomeInBackground(token);

It always goes ok on first login. But it always fails when I retry. I get "invalid session token" error. Session stays the same. Any other info on token is hidden.

Detailed question I'am building app for parents and kids. It is suggested that 2 users start app on their (different) devices using one account (one ParseUser for various devices logged in at one time). First a parent signs in on his devices. Then he generates QR-code with session token. 

String token = ParseUser.getCurrentUser().getSessionToken();
Bitmap bitmap = encodeAsBitmap(token);
qrView.setImageBitmap(bitmap);

Kid's device reads this QR and logs in. This procedure goes fine at first time. But if I log out kid's device and try to login by QR for the second time it fails with "invalid session token". It also fails when i try to login second kid's device. When I delete session manually in parse-dashboard, I can log in kid's device with QR again but only for once.

I tried my best to find some solution here and on the other internet but I didn't succeed.

Dear expert-level developers, help me on this issue.

Improve this question

2 Answers 2

Reset to default
1

It seems that I figured it out.

Short answer: In Parse.com dashboard go to Settings tab. On General tab go to "User Sessions" section. Switch off "Require revocable sessions" toggle.

Details: Since march 2015 Parse.com started using revocable sessions. It means that when user logs out or session expires it becomes useless. So you have to log out and log in back to use your app as usual. This is an important security issue. But in case like mine consider switching it off.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think you problem has to do with Parse.com now using revocable session tokens, see http://blog.parse.com/announcements/announcing-new-enhanced-sessions/

Others are having similar issues here: https://groups.google.com/forum/#!topic/parse-developers/Knxl_MBVlLY

This means that the token is only valid during a session, that is, while the user is logged on the device. Once the user logs out, the session is destroyed together with the token.

Perhaps this could be considered a 'feature' in your app, as the parents can pose control over their kids access to the app. If they log out, so is their child(ren).

If this is too far from the intended usage scenario, you could consider adding third party login such as Auth0 or OAuth

https://auth0.com/docs/scenarios/parse

https://parse.com/tutorials/adding-third-party-authentication-to-your-web-app

Improve this answer

2 Comments

Thank you! You are totally right. The reason why token invalidates is that session revokes on logout. That helped me a lot.
Glad I could help and actually did not notice that they allow turning it off, nice to know :-)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.