Multiple logins by the same user

[mksarge]

Problem:
A new servertoken is generated upon each login, so when a user logs in on a second browser, the existing servertoken is overwritten with a new one, rendering the first login in an unusable state.

Solution 1: No change
If a user invalidates their first login by logging in on a second browser, they simply need to log out and log back in on the first browser to generate a new valid token. This invalidates the second browser's login for the same reason.

Solution 2: Log the first device out
Consider it acceptable that a previous login is invalidated when a more recent login occurs. Simply show a message like alert("You have been logged in on another browser") then automatically log out of that browser.

Solution 3: Store multiple servertokens per user
Each new login generates a new servertoken but does not overwrite any existing ones. Servertokens are only ever deleted upon a logout request. If a user closes their browser to exit instead of logging out (arguably very common user behaviour), the token they were using will never be deleted on the server, resulting in a bunch of old, invalid servertokens stored. A solution to clear these old servertokens would need to be implemented.

Solution 4: Use the same servertoken for multiple logins
First log in: user's servertoken field is empty, so generate unique token
Second login: if user's servertoken field is non-empty, that means there is already another browser logged in. Simply retrieve the existing servertoken and let the multiple logins use the same token.

[rtholmes]

Solution 4 sounds best; what's the downside?

[mksarge]

Haven't thought of any so far, was hoping you might think of something, haha.

[rtholmes]

I think it's both the simplest and sound like it'll work, so we might as well go that way :) 👍

[mksarge]

I guess, from a security standpoint, a new login should generate a new unique token and invalidate old ones in order to protect against the potential of a compromised token being re-used.

It still suffers from the problem in Solution 3; if users exit without logging out, the server doesn't know that it should delete the servertoken. So if the user logs back in 1 week later, they will be provided a 1-week-old token that never got deleted.

[mksarge]

Update: I think we'll go with Solution 1/2 for now, ie:

• device 1 logs in
• device 2 logs in
• device 1's token is now invalid; anything that triggers an api call (buttons, refresh) will return a text alert notifying the user of a second login, and asking the user to log out and log in again (note: the user won't be automatically logged out, which could be a frustrating user experience)

This solution requires the least change, and I haven't thought of a good solution to the main problem of Solutions 3 and 4:

• if a user quits the app without logging out, and their browser cache is cleared in the process, that token will never get deleted on the server. (Unless we create another service to find and deletes old server tokens, which doesn't seem ideal.)