Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to make API issue only one token per user (opened in multiple tabs)?

Tags:

jquery

c#

.net-core

jwt

I have a web API in .net core 1.0 which issues JWT token(access_token) to the clients at login. Now, the token has a short expiry period(10 mins) and the client requests a new token in every 8 mins for the continuity of the session. This token is stored in the cookie in the browser at the client side. Now, this works fine if the client works in only one tab of the browser. However, if the client opens two or more tabs, every 8 minutes request for a new token is made to the API. This results in multiple requests from the same user simultaneously and my application issues token for each and every request but only one of the tokens is stored at client side cookie. But it results in multiple token out of which only single one is used throughout its lifetime.

I have tried storing the userId and token in DB and cross-checking them during API request, however, the same user in multiple tabs makes simultaneous request and the logic fails here.

How can I resolve this situation? I want my API to issue only one token per user opened in multiple tabs. Any help is appreciated.

like image 269
saurabhadhikari Avatar asked Nov 14 '17 11:11

saurabhadhikari

1 Answers

This is tricky. If you try to store the token in the DB and not issue a fresh token until the old expires it will create a plethora of problems. Think of the case, when the user uses multiple devices. This logic won't work. There are many more cases.

And storing the JWT in the server is very redundant and counter-intuitive, IMO. One of the primary benefits of JWT is that you don't have to make a DB call everytime a protected resource is requested. The JWT itself has all the information for authorizing the user.

I believe, the solution you are looking for is throttling or rate limiting. You can limit the token issue endpoint to 1request/sec/ip (experiment and find the rate which works well). The idea is to block the concurrent requests for new token issues from the same IP and process just one of them. You can achieve this through IIS or through Attributes. Play around and see what works best for you.

like image 73
mrtyormaa Avatar answered Sep 28 '22 10:09

mrtyormaa
Sign in to Comment

Related questions

How can I convert my variable Result to an object using JSONConvert?
C# Task.ContinueWith() vs java?
Azure C# EventHubClient mock for unit test
Understanding String Comparison behaviour
How to get Traffic Data from Bing Maps API?
How to use an interactive command line program from another .NET program
Async method call on ComboBox selection with MVVM
EMGU CV 2.4.9 face recognition accuracy issue
Entity framework adds an extra condition on where clause
How can I enable spell check in Rider?
Http/2 HttpClient and HPACK For APNs
CQRS: Update Read-Model without Event Sourcing
How to calculate the size of a HttpRequestMessage?
EPPlus and Excel's Camera Tool
Validate multiple Partial view without BeginForm in a View
Error: redirect_uri_mismatch (ASP.NET MVC)
Sign In User / Authenticate User with AWS Cognito
Is it possible to pass a DataTable to an ad-hoc sql query in Entity Framework?
.NET - Is there a singly-linked list in System.Collections.Immutable somewhere?
Group data having unique keys and values

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!