0

I have a website where I am using regular HTTP API requests and a websocket authenticated connection for realtime data.

I am using token authentication for API requests, authenticating websocket connection upon connection via header token.

I would however still like to somehow uniquely identify a "session", if a user was using the same token on two machines. Do I save a random string generated upon login along with the authentication token, to uniquely identify a session?

Or did I go about this the wrong way and is token authentication really just not appropriate for my case?

Because token authentication is just so much easier to implement on the frontend, as I am using React.

xtrinch
  • 2,232
  • 1
  • 24
  • 46
  • why dont you add ipaddress from your client machine into the token too? – Facundo La Rocca Dec 30 '16 at 12:41
  • How does that work when two computers are accessing behind NAT? – xtrinch Dec 30 '16 at 12:44
  • I mean whatever you can get from client computer (IP, MAC Address, etc.). Even you can think about a identifying system, e.g. the first time a client connects you generate an unique id a return it to the client, the client could store that id using cookies. You will know where the client is caming from. Did you check JSon Web Token system? – Facundo La Rocca Dec 30 '16 at 13:13

0 Answers0