I am currently using json web token for authenticating users on server. Now I want that users should have only one active login at any given time. As mentioned in some other answers on stackoverflow like this , this can easily be done by storing the json web token generated in a database table and update this token every time user logs into the server. Whenever authenticating a user, all I have to do is check for the token in the database. I was thinking of another approach. Since I am using json web token, I can use different secrets for different users and store them in database rather than storing whole token. These secrets will be updated whenever user logs in. So at any time there will be only one secret and since only one token can be decoded for the user with any secret ( in this case of course ) , only one login will be active. I want to know which of these two approaches is better. Is it okay to have different secrets for different users ?
Asked
Active
Viewed 1,969 times
1 Answers
1
You do not need to store the JWT in DB to do that. Simply inject a unique time based value (a UUID or user login time stamp) to the JWT in login and save that value in DB against a user. Whenever authenticating a user, check the equality of that value against the one in DB. If they match, which means account has not been logged from any other device, you can proceed. If they don't, send an appropriate error message to the user.
TMtech
- 1,076
- 10
- 14