ie.atanu | Stripe Developers | Page 1

fading vector Oct 26, 2022, 4:37 PM

#

Hi there

jaunty ore Oct 26, 2022, 4:38 PM

#

Hi @fading vector

fading vector Oct 26, 2022, 4:38 PM

#

We don't expose the exact TTL here. It is pretty short and you should generate a new one if it expires

jaunty ore Oct 26, 2022, 4:42 PM

#

I understand but the problem we are facing is not about generating a new url. We noticed that it remains active for good amount of time and we were looking for a way to shorten it.

#

One of our client has raised a concern about it.

fading vector Oct 26, 2022, 4:45 PM

#

Hmm why exactly? And in that case, you control the URL here on your site, right?

#

The point of Customer Portal is to allow for Customer Management by the customer themselves. It doesn't really make sense to be concerned about the TTL here imo...

jaunty ore Oct 26, 2022, 4:47 PM

#

Let me explain...

#

In our application, we have a CTA which says "Manage your subscriptions". Once clicked, we create a "portal session object" as described here: https://stripe.com/docs/customer-management/integrate-customer-portal#redirect

Integrate the customer portal with the API

Learn how to integrate the customer portal using the Stripe API

#

then we take the "url" from the newly created portal session object: https://stripe.com/docs/api/customer_portal/session#portal_session_object-url

Stripe API reference – The portal session object – curl

Complete reference documentation for the Stripe API. Includes code snippets and examples for our Python, Java, PHP, Node.js, Go, Ruby, and .NET libraries.

#

At this point the user is already authenticated in our app. Then we redirect the user the "url" of the "portal session object" which looks something like this: https://billing.stripe.com/p/session/xxxxxxxxxxxxxxxxxxxxxxxx

#

Now the problem is: if the user accidentally share this session url (after redirect) with someone, they can also access the customer portal of that user.

#

we were looking for a way to prevent that from happening

fading vector Oct 26, 2022, 4:59 PM

#

Why would that person be sharing that URL?

#

Also am I misremembering... I thought the Sessions were single-use.

#

Possible I am misremembering that though

jaunty ore Oct 26, 2022, 5:01 PM

#

Yes, ideally the the Sessions urls should have been single-use but unfortunately it is not

#

If I generate a session url and if you get access to it, you will be able to access my portal without any authentication.

fading vector Oct 26, 2022, 5:03 PM

#

Overall I think what you are saying is fair feedback and I can relay it to the team. But overall, there is already authentication being done on your end, and there is really no reason for these links to be shared.

#

So the fear here shouldn't really ever be realized. But, like I said, I will share this feedback with our team and encourage them to add the ability to expire Portal Sessions

jaunty ore Oct 26, 2022, 5:33 PM

#

Got it. Thanks @fading vector.

#ie.atanu