All geek questions in one place

How to force the API to issue only one token per user (open on several tabs)?

I have a web API in .net core 1.0 that issues a JWT token (access_token) to clients upon login. Now the token has a short validity period (10 minutes), and the client requests a new token every 8 minutes for a continuous session. This token is stored in a cookie in a browser on the client side. Now it works great if the client only works on one browser tab. However, if the client opens two or more tabs, each 8-minute request for a new token arrives in the API. This leads to several requests of the same user at the same time, and the token for my request processes each request, but only one of the tokens is stored in the cookie on the client side. But this leads to a multiple token, of which only one is used throughout its entire life cycle.

I tried to store the user ID and token in the database and cross-check them during the API request, however the same user on several tabs makes a simultaneous request, and the logic does not work here.

How can I solve this situation? I want my API to issue only one token for each user open on multiple tabs. Any help is appreciated.

+5
source share
1 answer

It's complicated. If you try to save the token in the database and not release a new token before its expiration, this will create many problems. Think about it when a user uses multiple devices. This logic will not work. There are many more cases.

And storing JWT on the server is very redundant and inconsistent, IMO. One of the main advantages of JWT is that you do not need to make a database call every time a protected resource is requested. JWT itself has all the information for authorizing a user.

I believe that the solution you are looking for is throttling or speed limiting . You can limit the endpoint of the marker to 1request / sec / ip (experiment and find a speed that works well). The idea is to block concurrent requests for new token problems from the same IP address and process only one of them. You can achieve this through IIS or through Attributes . Play and see what works best for you.

0
source

Source: https://habr.com/ru/post/1273354/

More articles:


All Articles