I think addition of SignalR will be unnecessary, since we can easily store the values and upon a request we can valid if they are valid or we need to block them. Also, SignalR requires that you add an extra layer of service, and if the connections are not cleared they might reuse the token depending on how we sanitize the data and connections.
Quote:
We have to consider latest browser instance of pin user as valid one.
Then only store the latest version of pin, and the token. Your token table must be something like this,
public class Token {
public string Id { get; set; }
public string UserId { get; set; }
public string Token { get; set; }
public DateTime ExpiresAt { get; set; }
}
Now, when user enters a new browser, you should check if current user has a token, if they have, then update that token with a new token for the current browser. If they do not have one—meaning this is the only session—create a new token and assign that to the user.
In your authentication module, you should then check if the token is valid—since we only have one token, it would be valid for that browser only—then let them access the website.
Security tips for you, since this is an easy way for the users to manipulate and reuse the token on multiple browsers. You should only pass down the token value that you generated. In the background, store the browser's agent value, IP address from where they logged in, and this way you can verify whether this was the exact same browser they were using when they were allotted a token. If they reused the token somewhere else, then you can reject the token too, since other parameters won't match.
Quote:
we need to redirect them to home page.
This will be automatically managed for you, if that token and other parameters are not valid, then your application will redirect them automatically.