What is a session ticket? Is there a standard for this, like JWT or OAuth2? How does it work? Why is it called a session ticket? Does it work the same way as Steam session ticket or Kerberos session ticket? Why is it secure?
,What is a session ticket? Is there a standard for this, like JWT or OAuth2? How does it work? Does it work the same way as Steam session ticket or Kerberos session ticket? Why is it secure?
Session ticket is a signed ticket that can be used to verify a user's identity between the client and PlayFab server. All Client API calls, apart from login and password reset, require the Session Ticket as the "X-Authentication" header. In addition, all of PlayFab's SDKs take the Session Ticket from a successful login response and store it locally, re-using it automatically on all subsequent Client API calls, for convenience. For more info, please see this answer: https://community.playfab.com/answers/10934/view.html.
The session ticket used in PlayFab is more like JWT but not the same. They all used for authorization, but as you can see they have different structure. We call it session ticket because it's a "ticket" that works like a session, which can be used to identify a user. But it's just a name, you can also call it "token" or something else.
For the secure question, session ticket is encrypted with user info in server side, in every Client API call, server will check the ticket to ensure security. Malicious user can not fake this ticket by themselves. And each session ticket will only valid for 24 hours. After this time the user must be signed in again to have a fresh ticket which is then valid for the next 24 hours. This also improves the security.
Does this mean that we should expect only valid calls to PhotonWebhooks and handler functions in the Cloudscript? Would it be redundant to create an AuthCookie?
@Jay Zuo,
I was just dealing with the Session Ticket, storing on the localStorage, until i saw this post, I see now that i don't need to send any headers neither dealing with the session Ticket on the storage. But, in my react app, where i am using the PlayFab-SDK, it seems that when i refresh the page, the session ends, and/or I am not able to do new APIcalls from that client session. Is there some information how is the proper way to deal with auth sessions using PlayFab-SDK, even i would like for example that user can refresh the page and don't have to log in again for example ?.
Thanks you
3 People are following this question.
