How to correctly identify a user?

W

WebDev2019-07-23 14:44:34

User identification

WebDev, 2019-07-23 14:44:34

When entering a username and password, I create an entry in the tokens table , which consists of the user_id and token fields.
Token is a generated string of random characters. I return it to the user, who stores it in localStorage and adds it to the headers when he makes calls to the backend.
This token is perpetual. That is, having logged in once, you can use this token as much as you like. In addition, it is possible to be simultaneously authorized on different devices / in different browsers. It's just that with each new authorization a new token is created, and the old ones continue to work.
Tell me how not to create a new token if the user logs in from the same device as before? Or is it better to invalidate old tokens if no one entered them for some time?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Ivan Shumov, 2019-07-23
@inoise

You should read about tokens on JWT, OAuth2, OpenId. About users - the standard recommendation is to use Social login. For all cases, use tools such as Keycloak, Auth0 and the like

X

xmoonlight, 2019-07-23
@xmoonlight

The token is actually the signature of the client's authorization data on the server side.
Namely, this is what combines the following parameters in the form of a SINGLE hash sum (token):
1. Device ID
2. User ID (+authentication data: password or other)
3. Login time
4. Random character string
5. Token lifetime
If the client re-authorizes (points 1 and 2 are sent to the server), parameters 3 and 4 change automatically.
This means that the old token (hash) becomes invalid for ANY! authorization attempt: successful or unsuccessful.