1

If I could remember user's password I can use that for Auth.SignInWithEmailAndPasswordAsync every time but it is a bad security practice. When I restart the game the Auth variable would require a login again.

How can I use the same session as the last time I logged in? Are there any login token that I can store and use again and again? I heard that Firebase has a token that expires in 1 hour and that's crazy.

Of course between the session that user stop playing a game and start playing again would be more than 1 hour. How can other people even make games with login with Firebase? I don't remember logging in every hour in other games.

KENdi
  • 7,576
  • 2
  • 16
  • 31
5argon
  • 3,683
  • 3
  • 31
  • 57

2 Answers2

1

If you are worried about security, then don't save the useraname and password.

Just dedicate a script that stores the email and password information then store them in static string variables. After that add DontDestroyOnLoad(gameObject); in the Awake function of that script so that the script will not be destroyed when new scene loads.

If you also need this information to be available when the game is closed and re-opened then you have to get the email and password, encrypt and save it. You can send and save the key on your own server if you want to make it harder to decrypt by another person or you can save it on the device itself but should perform more actions on the key before saving it so that the key can't be easily retrieved like that.

When loading the login information just read the saved file, then decrypt it and pass it into the Auth.SignInWithEmailAndPasswordAsync function.

Programmer
  • 121,791
  • 22
  • 236
  • 328
  • Thank you. I haven't thought of the approach of keeping the encryption key to the server side. Though, this way it still implies that I am storing user's password and I can know everyone's password as well because I have the key. But I think it is better than storing user's password at server side and is the best at the moment if Firebase still cannot produce long lived login token.. – 5argon Jul 31 '17 at 10:26
  • 1
    *"Though, this way it still implies that I am storing user's password and I can know everyone's password as well because I have the key"* **Nope**. Not true because you **only** have the key on the server. The encrypted file is saved on the user's device. You need the key+ the file to get this user information back. Also, the decryption is done on the device's side not on the server. You just retrieve the key from the server then unlock/decrypt the file on the device. – Programmer Jul 31 '17 at 10:33
0

The ID token expires in one hour but will be refreshed indefinitely. Firebase Auth sessions should not expire. Are you checking the Auth state correctly. I don't know what the equivalent is in Unity but for the other platforms, you normally check onAuthStateChanged to detect that a user is logged in or not.

bojeil
  • 29,642
  • 4
  • 69
  • 76