I am using Spring Boot, AngularJS and REST for my web application. I am also using JWT/oAuth token for user authentication and authorization, implying that the session is stateless.
We have a requirement wherein a duplicate session should not be allowed for a user.
I have implemented a way by which if the user logs in from any other browser of the same machine or any other machine, then a session override confirmation message will be shown.
If the session is overridden, then the first session will terminate whenever user tries to perform any activity.
For this the last token generation time for that user is maintained in the server memory.
If the incoming token generation time matches the time in memory, then access is granted, else session expired error is thrown.
When a user performs a successful logout, then the entry for that user is flushed out from the memory and the new authentication request doesn't throw the session override error.
Now what is happening is that whenever a user is not doing a successful logout and is simply closing the browser window, then the server value is not cleared. And when user tries to log in again, then session override message is thrown, even though, (from user's perspective), there is no duplicate session.
My question is: Is there any way by which we can avoid showing the session override message when the above scenario happens but at the same time show override message if the user is really trying a duplicate session?
Are there any applications/designs available to handle such cases?
Any suggestion/idea is welcome.
Aucun commentaire:
Enregistrer un commentaire