How to properly use refresh token on different devices?

G

gacbhp2021-10-26 20:23:02

JSON Web Token

gacbhp, 2021-10-26 20:23:02

Please tell me, when authorizing on the client, two tokens are stored in cookies, one of them is access, the other is refresh,
when the access token expires, the client sends refresh and the server issues two new tokens to the client, the point is, the point is that if the user logs in from another device for example, from a phone, then the refresh token on the first device will no longer be valid. Refresh token is stored in the database table users, in the field table: email, password, refresh_token. That is, when authorizing on another device, the refresh_token field will be updated and on the first device, the refresh token, which is no longer valid in cookies. How to make it so that you can use the refresh token, not only on one device?
I saw that I needed to do something with the device ID, but I didn’t understand, I also didn’t understand where to get this device ID from. I would be grateful if you describe in detail how to properly organize this process.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

R

Rsa97, 2021-10-26
@gacbhp

Each device is a separate client and receives its own pair of tokens. Records are written to a separate database table (user_id, refresh_token, token_end_time, status).
When a refresh is requested, if this token is marked in the database as used, then all client tokens are removed from the database as compromised and the login/password authentication request is returned.
If the token is expired or not in the database, then the login/password authentication request is returned.
If the token is in the database and has not yet been used, then the token is marked as used and a new pair of tokens is issued.
Periodically, expired tokens are removed from the database.