I am trying to implement a token-based authentication approach:
Each successful login creates a new token.
If the user chooses to "keep me logged in" or the user uses a mobile device, the token is stored in the Redis database without expiration. Otherwise, the token will expire after 20 minutes.
After user authentication, the token is checked with each subsequent request in my Redis database.
I am wondering how I can identify devices. In the case of mobile devices, I can use the device identifier. But how can I identify the browser?
Example. The user logs in to Chrome and selects "Remember me." A marker is generated and saved with the browser name in Redis. If the user logs in from Firefox, saves the token and "Firefox" in the database. I save the token in Redis, while the token is created on successful authentication. Is it good to save only the token and the browser that uses the token? Or do I need to also save the IP?
Additional question: How to avoid intruders in order to steal a token from a cookie?
source
share