Level 75
You could add a flag column and if a certain user is logged in then don't allow another login. Just suggestion.
Apr 25, 2024
4
Level 1
Best practices to store user active login devices?
I'm working on a system where users can log in from multiple devices with a single account.
- It is required to store the device from which the user logged in and delete it when logged out.
- The system uses
access tokensandrefresh tokens. - System uses stateless API.
Well, storing the device when the user logs in and deleting it when they log out is easy. The access token id can be used as a reference to the device.
But what if:
1- The user logs in from two devices of the same type? Should I do something additional in this case?
2- A bad user somehow gets the refresh token and then uses it to generate an access token? In this case user device will not be stored!
3- Something in the user's device prevents access to its information, such as the device type?
4- User use an app like Parallel Space and runs the app with the same device?
I'm looking forward to hearing your suggestions. Additionally, are there any other things I should be aware of?
Level 1
@jlrdw This approach cannot be applied. One of the system requirements is that the user be able to log in from more than one device, as the system will contain a mobile application as well as a website that contains full features.
Level 75
@Phil_Dr If they can log in with more than one device, just curious why track.
1 like
Level 122
You need to clearly set out the business expectations and not the technical solutions. You will then know what is permitted and what is not.
1- The user logs in from two devices of the same type? Should I do something additional in this case?
How could we possibly know without knowing the business requirements?
Please or to participate in this conversation.