JWT and one(!) session per user / no concurrent sessions

session single-sign-on single-page-application jwt
11,916

Solution 1

You are very close to the solution.

To do this you need the following:
1. Include iat in the token (Time when the token was issued)
2. Somewhere store the time when the user last logged in, for example in the user's profile.

Now when validating the token, do an extra check: iat (Issued At) must be at or later than the last login time. This implicitly invalidates older tokens.

Solution 2

What about closing the session of the user on any other device.

What about. every time user login, you saving the last login by type of device, and send a push notification to all the devices connected of the same type (supposedly one)?

In this case on a browser, You can send the push notification to the browser, just check what happens if that browser is closed at the moment?

In the case of mobile apps, you can send a push notification to the mobile app's with the instruction to close

Share:
11,916
Benjamin M
Author by

Benjamin M

Updated on July 01, 2022

Comments

  • Benjamin M
    Benjamin M about 2 years

    Our current app uses HTTP sessions and we'd like to replace that with JWT.

    The setup allows only a single session per user. This means:

    1. User signs in at Device 1
      • User is logged in at Device 1 (new Session created)
    2. User signs in at Device 2
      • User is logged in at Device 2 (new Session created)
      • User is not logged in at Device 1 (Session got destroyed)

    This works because there's a server-side relation between session id and user id.

    Using JWT I could imagine to have some counter inside the user database, which gets increased with every login, i.e.:

    1. User signs in at Device 1
      • JWT tokens signature contains counter+1 (and save new counter to database)
    2. User signs in at Device 2
      • JWT's signature contains counter+1 and it gets increased and saved to db.

    Now with every request I have to check if the incoming signature is correct for the current counter value.

    This somehow makes it stateful. :(

    But ... one of JWT's benefits is, that there's no need to access any database or session store for validating the token.

    Is there some other solution for preventing concurrent logins? Maybe something that works without database access and keeps it stateless?

  • an0nh4x0r
    an0nh4x0r almost 5 years
    Thank you. This comment answer was helpful.
  • moeabdol
    moeabdol almost 5 years
    Excellent strategy!
  • Réda Housni Alaoui
    Réda Housni Alaoui almost 5 years
    This solution makes the token validation stateful.
  • The Tahaan
    The Tahaan almost 5 years
    "Stateful" means keeping session information in the server. Storing the state in the DB, which is what I suggested, does NOT make it a sateful solution.
  • Pasha Skender
    Pasha Skender about 4 years
    However if you are using any sort of microservice architecture or clustering, autoscaling etc, keeping track of this in the server will need an additional layer of complexity in case the new login request gets load balanced to a different server instance for example.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Handling JWT expiration in .NET MVC-application
How to integrate OAuth with a single page application?
Single sign-on flow using JWT for cross domain authentication
Authentication: JWT usage vs session
Invalidating JSON Web Tokens
Is it necessary to refresh tokens every request?
What to store in a JWT?
Significant differences between Cookies and JWT for native mobile apps
Transparent user session over several sites (single sign-on + single sign-off)
Can You Switch PHP Sessions In a Session?