Authorization from multiple devices?

J

John2015-06-21 19:01:31

PHP

John, 2015-06-21 19:01:31

I would like to know what approach you use when developing authorization?
The fact is that most of the articles that say - "authorization should be done this way" miss a very important fact - they ignore the fact that the user uses several gadgets / browsers to surf the Internet.
The basic model is to generate a hash upon successful authorization, and store it in cookies and the database.
user_id + user_hash is cool. But, in the case of a new authorization on another device - the hash in the database is updated - and the previous session crashes.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

I

IceJOKER, 2015-06-21
@IceJOKER

And who's stopping you from creating a separate table:
user_id | hash
???

N

Night, 2015-06-21
@maxtm

Table user + user_session
user_session:
user_id
token
ip
.. anything else you want (agent, start date, etc.)
Store token in cookies, use it to search for the user in user_session
After successful authorization, create an entry in user_session, indicating the token .
You assign the token to the client.
IP (subnet) binding can also be implemented to reduce the risk of session theft.
When logout - hang a flag that the token is not active.

S

Sergey Semenko, 2015-06-21
@abler98

And why update the authorization key (hash) at each login, if it can be created during registration, and then updated when changing the password?