Click here to Skip to main content
15,867,453 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I am trying develop single login application where registered users can give their pin for Login . We have API to Validate and give access_token for pin users.We have to consider latest browser instance of pin user as valid one.If the pin user is trying to access Previous instance of browser, we need to redirect them to home page.
Can any one help me how to resolve this.

What I have tried:

I tried to keep application object (key as pin) but nothing helps.
Posted
Updated 15-Feb-19 23:14pm
v2
Comments
ZurdoDev 13-Feb-19 15:45pm    
I don't understand your question.
Vijai Anand.G 13-Feb-19 20:22pm    
I am not using username and password to login inspite I am using pin which is associated with username and password to login.I am consuming api to validate pin , It will return access token if pin is valid.here how can i logout on all app instances and browser instances when i login from new device or browser.

You could use something like SignalR where all your apps subscribed to LogOut() client notification method.

Then, when any of them called a LogMeOut() server method, it could fire LogOut() to all subscribed clients.
 
Share this answer
 
I think addition of SignalR will be unnecessary, since we can easily store the values and upon a request we can valid if they are valid or we need to block them. Also, SignalR requires that you add an extra layer of service, and if the connections are not cleared they might reuse the token depending on how we sanitize the data and connections.
Quote:
We have to consider latest browser instance of pin user as valid one.
Then only store the latest version of pin, and the token. Your token table must be something like this,
C#
// Assuming that you are using Entity Framework, or similar. Otherwise, table structure.
public class Token {
    public string Id { get; set; }
    public string UserId { get; set; }
    public string Token { get; set; } // Your pin code here
    public DateTime ExpiresAt { get; set; }
}
Now, when user enters a new browser, you should check if current user has a token, if they have, then update that token with a new token for the current browser. If they do not have one—meaning this is the only session—create a new token and assign that to the user.

In your authentication module, you should then check if the token is valid—since we only have one token, it would be valid for that browser only—then let them access the website.

Security tips for you, since this is an easy way for the users to manipulate and reuse the token on multiple browsers. You should only pass down the token value that you generated. In the background, store the browser's agent value, IP address from where they logged in, and this way you can verify whether this was the exact same browser they were using when they were allotted a token. If they reused the token somewhere else, then you can reject the token too, since other parameters won't match.
Quote:
we need to redirect them to home page.
This will be automatically managed for you, if that token and other parameters are not valid, then your application will redirect them automatically.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900